@brett.buskirk/agent-gate 0.1.0

package/lib/config/schema.js

@@ -0,0 +1,66 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfigSchema = void 0;
+const zod_1 = require("zod");
+const SeveritySchema = zod_1.z.enum(['error', 'warning', 'info']);
+exports.ConfigSchema = zod_1.z.object({
+    version: zod_1.z.literal(1),
+    fail_on: zod_1.z.enum(['error', 'warning', 'never']).default('error'),
+    comment: zod_1.z.boolean().default(true),
+    rules: zod_1.z
+        .object({
+        secrets: zod_1.z
+            .object({
+            enabled: zod_1.z.boolean().default(true),
+            severity: SeveritySchema.default('error'),
+        })
+            .default({}),
+        scope: zod_1.z
+            .object({
+            enabled: zod_1.z.boolean().default(true),
+            severity: SeveritySchema.default('error'),
+            allow: zod_1.z.array(zod_1.z.string()).optional(),
+            deny: zod_1.z
+                .array(zod_1.z.string())
+                .default(['.github/workflows/**', 'infra/**', '**/*.lock', 'package-lock.json']),
+        })
+            .default({}),
+        diff_size: zod_1.z
+            .object({
+            enabled: zod_1.z.boolean().default(true),
+            severity: SeveritySchema.default('warning'),
+            max_files: zod_1.z.number().int().positive().default(30),
+            max_lines: zod_1.z.number().int().positive().default(800),
+        })
+            .default({}),
+        tests_required: zod_1.z
+            .object({
+            enabled: zod_1.z.boolean().default(true),
+            severity: SeveritySchema.default('warning'),
+            src_globs: zod_1.z.array(zod_1.z.string()).default(['src/**']),
+            test_globs: zod_1.z
+                .array(zod_1.z.string())
+                .default(['**/*.test.*', '**/*.spec.*', 'tests/**']),
+        })
+            .default({}),
+        dependencies: zod_1.z
+            .object({
+            enabled: zod_1.z.boolean().default(true),
+            severity: SeveritySchema.default('warning'),
+            manifests: zod_1.z
+                .array(zod_1.z.string())
+                .default(['package.json', 'requirements.txt', 'go.mod', 'Gemfile', 'Cargo.toml']),
+        })
+            .default({}),
+        dangerous_patterns: zod_1.z
+            .object({
+            enabled: zod_1.z.boolean().default(true),
+            severity: SeveritySchema.default('error'),
+            patterns: zod_1.z
+                .array(zod_1.z.string())
+                .default(['eval\\(', '--no-verify', 'child_process\\.exec\\(']),
+        })
+            .default({}),
+    })
+        .default({}),
+});

package/lib/diff/git.d.ts

@@ -0,0 +1,9 @@
+import type { DiffProvider } from './provider';
+import type { DiffModel } from './parse';
+export declare class GitDiffProvider implements DiffProvider {
+    private base;
+    private cwd;
+    constructor(base: string, cwd?: string);
+    getDiff(): Promise<DiffModel>;
+}
+//# sourceMappingURL=git.d.ts.map

package/lib/diff/git.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../../src/diff/git.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,qBAAa,eAAgB,YAAW,YAAY;IAEhD,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,GAAG;gBADH,IAAI,EAAE,MAAM,EACZ,GAAG,SAAgB;IAGvB,OAAO,IAAI,OAAO,CAAC,SAAS,CAAC;CAQpC"}

package/lib/diff/git.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GitDiffProvider = void 0;
+const child_process_1 = require("child_process");
+const parse_1 = require("./parse");
+class GitDiffProvider {
+    constructor(base, cwd = process.cwd()) {
+        this.base = base;
+        this.cwd = cwd;
+    }
+    async getDiff() {
+        const patch = (0, child_process_1.execSync)(`git diff "${this.base}"...HEAD`, {
+            cwd: this.cwd,
+            encoding: 'utf8',
+            maxBuffer: 50 * 1024 * 1024,
+        });
+        return (0, parse_1.parsePatch)(patch);
+    }
+}
+exports.GitDiffProvider = GitDiffProvider;

package/lib/diff/github.d.ts

@@ -0,0 +1,11 @@
+import type { DiffProvider } from './provider';
+import type { DiffModel } from './parse';
+export declare class GitHubDiffProvider implements DiffProvider {
+    private token;
+    private owner;
+    private repo;
+    private pullNumber;
+    constructor(token: string, owner: string, repo: string, pullNumber: number);
+    getDiff(): Promise<DiffModel>;
+}
+//# sourceMappingURL=github.d.ts.map

package/lib/diff/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../../src/diff/github.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAC/C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,qBAAa,kBAAmB,YAAW,YAAY;IAEnD,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,IAAI;IACZ,OAAO,CAAC,UAAU;gBAHV,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM;IAGtB,OAAO,IAAI,OAAO,CAAC,SAAS,CAAC;CAuBpC"}

package/lib/diff/github.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GitHubDiffProvider = void 0;
+const github_1 = require("@actions/github");
+const parse_1 = require("./parse");
+class GitHubDiffProvider {
+    constructor(token, owner, repo, pullNumber) {
+        this.token = token;
+        this.owner = owner;
+        this.repo = repo;
+        this.pullNumber = pullNumber;
+    }
+    async getDiff() {
+        const octokit = (0, github_1.getOctokit)(this.token);
+        const files = await octokit.paginate(octokit.rest.pulls.listFiles, {
+            owner: this.owner,
+            repo: this.repo,
+            pull_number: this.pullNumber,
+            per_page: 100,
+        });
+        const patches = files
+            .filter((f) => f.patch)
+            .map((f) => [
+            `diff --git a/${f.filename} b/${f.filename}`,
+            `--- a/${f.filename}`,
+            `+++ b/${f.filename}`,
+            f.patch,
+        ].join('\n'))
+            .join('\n');
+        return (0, parse_1.parsePatch)(patches);
+    }
+}
+exports.GitHubDiffProvider = GitHubDiffProvider;

package/lib/diff/parse.d.ts

@@ -0,0 +1,24 @@
+export interface DiffLine {
+    type: 'add' | 'del' | 'normal';
+    content: string;
+    lineNumber?: number;
+}
+export interface DiffChunk {
+    lines: DiffLine[];
+}
+export interface DiffFile {
+    path: string;
+    oldPath: string | null;
+    added: number;
+    deleted: number;
+    isNew: boolean;
+    isDeleted: boolean;
+    chunks: DiffChunk[];
+}
+export interface DiffModel {
+    files: DiffFile[];
+    totalAdded: number;
+    totalDeleted: number;
+}
+export declare function parsePatch(patch: string): DiffModel;
+//# sourceMappingURL=parse.d.ts.map

package/lib/diff/parse.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parse.d.ts","sourceRoot":"","sources":["../../src/diff/parse.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,KAAK,GAAG,KAAK,GAAG,QAAQ,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,QAAQ,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,QAAQ;IACvB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,OAAO,CAAC;IACf,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,EAAE,SAAS,EAAE,CAAC;CACrB;AAED,MAAM,WAAW,SAAS;IACxB,KAAK,EAAE,QAAQ,EAAE,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACtB;AAID,wBAAgB,UAAU,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAmDnD"}

package/lib/diff/parse.js

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.parsePatch = parsePatch;
+const HUNK_HEADER = /^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/;
+function parsePatch(patch) {
+    const files = [];
+    let current = null;
+    let currentChunk = null;
+    let lineNum = 0;
+    for (const line of patch.split('\n')) {
+        if (line.startsWith('diff --git ')) {
+            if (current)
+                files.push(current);
+            current = { path: '', oldPath: null, added: 0, deleted: 0, isNew: false, isDeleted: false, chunks: [] };
+            currentChunk = null;
+        }
+        else if (line.startsWith('--- ')) {
+            if (!current)
+                continue;
+            const p = line.slice(4);
+            current.oldPath = p === '/dev/null' ? null : p.replace(/^a\//, '');
+            if (p === '/dev/null')
+                current.isNew = true;
+        }
+        else if (line.startsWith('+++ ')) {
+            if (!current)
+                continue;
+            const p = line.slice(4);
+            if (p === '/dev/null') {
+                current.isDeleted = true;
+            }
+            else {
+                current.path = p.replace(/^b\//, '');
+            }
+        }
+        else if (HUNK_HEADER.test(line)) {
+            if (!current)
+                continue;
+            const match = HUNK_HEADER.exec(line);
+            lineNum = parseInt(match[1], 10) - 1;
+            currentChunk = { lines: [] };
+            current.chunks.push(currentChunk);
+        }
+        else if (currentChunk && current) {
+            if (line.startsWith('+')) {
+                lineNum++;
+                currentChunk.lines.push({ type: 'add', content: line.slice(1), lineNumber: lineNum });
+                current.added++;
+            }
+            else if (line.startsWith('-')) {
+                currentChunk.lines.push({ type: 'del', content: line.slice(1) });
+                current.deleted++;
+            }
+            else if (line.startsWith(' ')) {
+                lineNum++;
+                currentChunk.lines.push({ type: 'normal', content: line.slice(1), lineNumber: lineNum });
+            }
+        }
+    }
+    if (current)
+        files.push(current);
+    const totalAdded = files.reduce((a, f) => a + f.added, 0);
+    const totalDeleted = files.reduce((a, f) => a + f.deleted, 0);
+    return { files, totalAdded, totalDeleted };
+}

package/lib/diff/provider.d.ts

@@ -0,0 +1,5 @@
+import type { DiffModel } from './parse';
+export interface DiffProvider {
+    getDiff(): Promise<DiffModel>;
+}
+//# sourceMappingURL=provider.d.ts.map

package/lib/diff/provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider.d.ts","sourceRoot":"","sources":["../../src/diff/provider.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AAEzC,MAAM,WAAW,YAAY;IAC3B,OAAO,IAAI,OAAO,CAAC,SAAS,CAAC,CAAC;CAC/B"}

package/lib/diff/provider.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/lib/engine.d.ts

@@ -0,0 +1,15 @@
+import type { Config } from './config/schema';
+import type { DiffModel } from './diff/parse';
+import type { Finding } from './rules/types';
+export type Verdict = 'pass' | 'warn' | 'fail';
+export interface EngineResult {
+    findings: Finding[];
+    verdict: Verdict;
+    counts: {
+        error: number;
+        warning: number;
+        info: number;
+    };
+}
+export declare function runEngine(diff: DiffModel, config: Config): EngineResult;
+//# sourceMappingURL=engine.d.ts.map

package/lib/engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,iBAAiB,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAC9C,OAAO,KAAK,EAAE,OAAO,EAAY,MAAM,eAAe,CAAC;AAEvD,MAAM,MAAM,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAE/C,MAAM,WAAW,YAAY;IAC3B,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,MAAM,EAAE;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,OAAO,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;CAC1D;AAYD,wBAAgB,SAAS,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,YAAY,CAcvE"}

package/lib/engine.js

@@ -0,0 +1,22 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runEngine = runEngine;
+const rules_1 = require("./rules");
+function computeVerdict(counts, failOn) {
+    if (failOn === 'error' && counts.error > 0)
+        return 'fail';
+    if (failOn === 'warning' && (counts.error > 0 || counts.warning > 0))
+        return 'fail';
+    if (counts.error > 0 || counts.warning > 0)
+        return 'warn';
+    return 'pass';
+}
+function runEngine(diff, config) {
+    const findings = rules_1.rules.flatMap((rule) => rule.run(diff, config));
+    const counts = findings.reduce((acc, f) => {
+        acc[f.severity]++;
+        return acc;
+    }, { error: 0, warning: 0, info: 0 });
+    const verdict = computeVerdict(counts, config.fail_on);
+    return { findings, verdict, counts };
+}

package/lib/report/checkRun.d.ts

@@ -0,0 +1,3 @@
+import type { EngineResult } from '../engine';
+export declare function setCheckOutput(result: EngineResult): void;
+//# sourceMappingURL=checkRun.d.ts.map

package/lib/report/checkRun.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"checkRun.d.ts","sourceRoot":"","sources":["../../src/report/checkRun.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAE9C,wBAAgB,cAAc,CAAC,MAAM,EAAE,YAAY,GAAG,IAAI,CAezD"}

package/lib/report/checkRun.js

@@ -0,0 +1,51 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setCheckOutput = setCheckOutput;
+const core = __importStar(require("@actions/core"));
+function setCheckOutput(result) {
+    const { verdict, counts, findings } = result;
+    core.setOutput('verdict', verdict);
+    core.setOutput('finding-count', String(findings.length));
+    if (verdict === 'fail') {
+        core.setFailed(`AgentGate blocked: ${counts.error} error(s), ${counts.warning} warning(s) — see PR comment for details`);
+    }
+    else if (verdict === 'warn') {
+        core.warning(`AgentGate: ${counts.warning} warning(s)`);
+    }
+    else {
+        core.info('AgentGate: passed');
+    }
+}

package/lib/report/comment.d.ts

@@ -0,0 +1,4 @@
+import type { EngineResult } from '../engine';
+import type { DiffModel } from '../diff/parse';
+export declare function upsertComment(token: string, owner: string, repo: string, pullNumber: number, result: EngineResult, diff: DiffModel): Promise<void>;
+//# sourceMappingURL=comment.d.ts.map

package/lib/report/comment.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"comment.d.ts","sourceRoot":"","sources":["../../src/report/comment.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAiE/C,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,EACb,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,YAAY,EACpB,IAAI,EAAE,SAAS,GACd,OAAO,CAAC,IAAI,CAAC,CAkBf"}

package/lib/report/comment.js

@@ -0,0 +1,71 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.upsertComment = upsertComment;
+const github_1 = require("@actions/github");
+const MARKER = '<!-- agentgate -->';
+function buildBody(result, diff) {
+    const { verdict, findings } = result;
+    const header = verdict === 'pass'
+        ? '## ✅ AgentGate: Passed'
+        : verdict === 'warn'
+            ? '## ⚠️ AgentGate: Warnings'
+            : '## ❌ AgentGate: Blocked';
+    const lines = [
+        MARKER,
+        header,
+        '',
+        `**${diff.files.length}** files changed &nbsp;·&nbsp; **+${diff.totalAdded} -${diff.totalDeleted}** lines`,
+        '',
+    ];
+    if (findings.length === 0) {
+        lines.push('No issues found.');
+    }
+    else {
+        lines.push('| Rule | Findings | Severity |');
+        lines.push('|------|----------|----------|');
+        const byRule = new Map();
+        for (const f of findings) {
+            const entry = byRule.get(f.ruleId) ?? { count: 0, severity: f.severity };
+            entry.count++;
+            byRule.set(f.ruleId, entry);
+        }
+        for (const [rule, { count, severity }] of byRule) {
+            const icon = severity === 'error' ? '❌' : severity === 'warning' ? '⚠️' : 'ℹ️';
+            lines.push(`| \`${rule}\` | ${count} | ${icon} ${severity} |`);
+        }
+        lines.push('');
+        lines.push('<details><summary>View findings</summary>');
+        lines.push('');
+        for (const [ruleId] of byRule) {
+            lines.push(`**${ruleId}**`);
+            for (const f of findings.filter((x) => x.ruleId === ruleId)) {
+                const loc = f.file ? (f.line ? `\`${f.file}:${f.line}\`` : `\`${f.file}\``) : '';
+                lines.push(`- ${loc ? `${loc} — ` : ''}${f.message}`);
+                if (f.suggestion)
+                    lines.push(`  > 💡 ${f.suggestion}`);
+            }
+            lines.push('');
+        }
+        lines.push('</details>');
+    }
+    lines.push('');
+    lines.push('<sub>Generated by [AgentGate](https://github.com/brett-buskirk/agent-gate)</sub>');
+    return lines.join('\n');
+}
+async function upsertComment(token, owner, repo, pullNumber, result, diff) {
+    const octokit = (0, github_1.getOctokit)(token);
+    const body = buildBody(result, diff);
+    const { data: comments } = await octokit.rest.issues.listComments({
+        owner,
+        repo,
+        issue_number: pullNumber,
+        per_page: 100,
+    });
+    const existing = comments.find((c) => c.body?.includes(MARKER));
+    if (existing) {
+        await octokit.rest.issues.updateComment({ owner, repo, comment_id: existing.id, body });
+    }
+    else {
+        await octokit.rest.issues.createComment({ owner, repo, issue_number: pullNumber, body });
+    }
+}

package/lib/report/json.d.ts

@@ -0,0 +1,4 @@
+import type { EngineResult } from '../engine';
+import type { DiffModel } from '../diff/parse';
+export declare function reportCli(result: EngineResult, diff: DiffModel, asJson?: boolean): void;
+//# sourceMappingURL=json.d.ts.map

package/lib/report/json.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.d.ts","sourceRoot":"","sources":["../../src/report/json.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAQ/C,wBAAgB,SAAS,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,UAAQ,GAAG,IAAI,CAiDrF"}

package/lib/report/json.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.reportCli = reportCli;
+const SEVERITY_ICON = {
+    error: '❌',
+    warning: '⚠️ ',
+    info: 'ℹ️ ',
+};
+function reportCli(result, diff, asJson = false) {
+    if (asJson) {
+        process.stdout.write(JSON.stringify({ verdict: result.verdict, counts: result.counts, findings: result.findings }, null, 2) + '\n');
+        return;
+    }
+    const { verdict, findings, counts } = result;
+    const verdictLine = verdict === 'pass'
+        ? '✅  AgentGate: passed'
+        : verdict === 'warn'
+            ? '⚠️   AgentGate: warnings'
+            : '❌  AgentGate: blocked';
+    console.log(`\n${verdictLine}`);
+    console.log(`     Files: ${diff.files.length}  |  Lines: +${diff.totalAdded} -${diff.totalDeleted}`);
+    if (counts.error > 0)
+        console.log(`     Errors:   ${counts.error}`);
+    if (counts.warning > 0)
+        console.log(`     Warnings: ${counts.warning}`);
+    if (counts.info > 0)
+        console.log(`     Info:     ${counts.info}`);
+    if (findings.length === 0) {
+        console.log('\n  No issues found.\n');
+        return;
+    }
+    console.log('');
+    const byRule = new Map();
+    for (const f of findings) {
+        if (!byRule.has(f.ruleId))
+            byRule.set(f.ruleId, []);
+        byRule.get(f.ruleId).push(f);
+    }
+    for (const [ruleId, ruleFindings] of byRule) {
+        const icon = SEVERITY_ICON[ruleFindings[0].severity] ?? '  ';
+        console.log(`  ${icon} [${ruleId}]`);
+        for (const f of ruleFindings) {
+            const loc = f.file ? (f.line ? `${f.file}:${f.line}` : f.file) : '';
+            console.log(`      ${loc ? `${loc}  ` : ''}${f.message}`);
+            if (f.suggestion)
+                console.log(`      → ${f.suggestion}`);
+        }
+        console.log('');
+    }
+}

package/lib/report/summary.d.ts

@@ -0,0 +1,4 @@
+import type { EngineResult } from '../engine';
+import type { DiffModel } from '../diff/parse';
+export declare function writeSummary(result: EngineResult, diff: DiffModel): Promise<void>;
+//# sourceMappingURL=summary.d.ts.map

package/lib/report/summary.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"summary.d.ts","sourceRoot":"","sources":["../../src/report/summary.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC9C,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAE/C,wBAAsB,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBvF"}

package/lib/report/summary.js

@@ -0,0 +1,56 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.writeSummary = writeSummary;
+const core = __importStar(require("@actions/core"));
+async function writeSummary(result, diff) {
+    const { verdict, findings, counts } = result;
+    const verdictStr = verdict === 'pass' ? '✅ Passed' : verdict === 'warn' ? '⚠️ Warnings' : '❌ Blocked';
+    await core.summary
+        .addHeading(`AgentGate: ${verdictStr}`, 2)
+        .addTable([
+        [
+            { data: 'Metric', header: true },
+            { data: 'Value', header: true },
+        ],
+        ['Files changed', String(diff.files.length)],
+        ['Lines added', String(diff.totalAdded)],
+        ['Lines removed', String(diff.totalDeleted)],
+        ['Errors', String(counts.error)],
+        ['Warnings', String(counts.warning)],
+        ['Total findings', String(findings.length)],
+    ])
+        .write();
+}

package/lib/rules/dangerousPatterns.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from './types';
+export declare const dangerousPatternsRule: Rule;
+//# sourceMappingURL=dangerousPatterns.d.ts.map

package/lib/rules/dangerousPatterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dangerousPatterns.d.ts","sourceRoot":"","sources":["../../src/rules/dangerousPatterns.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,SAAS,CAAC;AAI7C,eAAO,MAAM,qBAAqB,EAAE,IA4CnC,CAAC"}

package/lib/rules/dangerousPatterns.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.dangerousPatternsRule = void 0;
+exports.dangerousPatternsRule = {
+    id: 'dangerous_patterns',
+    description: 'Flag added lines matching a configurable regex denylist',
+    run(diff, config) {
+        const { enabled, severity, patterns } = config.rules.dangerous_patterns;
+        if (!enabled)
+            return [];
+        let compiled;
+        try {
+            compiled = patterns.map((p) => ({ regex: new RegExp(p), raw: p }));
+        }
+        catch (err) {
+            throw new Error(`dangerous_patterns: invalid regex pattern — ${err instanceof Error ? err.message : String(err)}`);
+        }
+        const findings = [];
+        for (const file of diff.files) {
+            for (const chunk of file.chunks) {
+                for (const line of chunk.lines) {
+                    if (line.type !== 'add')
+                        continue;
+                    for (const { regex, raw } of compiled) {
+                        if (regex.test(line.content)) {
+                            findings.push({
+                                ruleId: 'dangerous_patterns',
+                                severity,
+                                file: file.path,
+                                line: line.lineNumber,
+                                message: `Added line matches dangerous pattern \`${raw}\``,
+                                suggestion: 'Review this change carefully — it matches a pattern flagged as potentially dangerous.',
+                            });
+                            break;
+                        }
+                    }
+                }
+            }
+        }
+        return findings;
+    },
+};

package/lib/rules/dependencies.d.ts

@@ -0,0 +1,3 @@
+import type { Rule } from './types';
+export declare const dependenciesRule: Rule;
+//# sourceMappingURL=dependencies.d.ts.map

package/lib/rules/dependencies.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dependencies.d.ts","sourceRoot":"","sources":["../../src/rules/dependencies.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAW,MAAM,SAAS,CAAC;AAI7C,eAAO,MAAM,gBAAgB,EAAE,IA0B9B,CAAC"}