@delegance/claude-autopilot 1.0.0-alpha.4 → 1.0.0-alpha.6

package/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## 1.0.0-alpha.6
+
+### Added
+
+- **Auto-regression testing** (`scripts/autoregress.ts generate|run|update`) — autoresearch-inspired snapshot tests for changed source modules
+- **Impact-aware selection** — only fires snapshots whose source modules (or one-hop importers) were touched; high-impact paths (`src/core/pipeline/**`, `src/adapters/**`, `src/core/findings/**`, `src/core/config/**`) and >10-file changes trigger full run
+- **Snapshot serializer** (`src/snapshots/serializer.ts`) — deterministic JSON normalization: sorted keys, `<timestamp>`, `<uuid>`, path stripping
+- **Import scanner** (`src/snapshots/import-scanner.ts`) — static `import`/`export` graph → reverse dependency map
+- **Impact selector** (`src/snapshots/impact-selector.ts`) — merge-base diff + one-hop expansion + overrides
+- **Baseline capture** — `CAPTURE_BASELINE=1` env flag; `autoregress update` rewrites baselines after intentional changes
+- **Staleness detection** — warns and skips snapshots whose `@snapshot-for` source file no longer exists
+- 10 new unit tests (AR1-AR10) for serializer, import scanner, and impact selector
+
+## 1.0.0-alpha.5 (2026-04-21)
+
+### New Features
+
+- **`--format sarif --output <path>`** on `autopilot run` — serialises `RunResult` to SARIF 2.1.0; deduplicates rules by category; normalises URIs to repo-relative forward-slash; always emits `results: []` even on error so `upload-sarif` never fails on a missing file
+- **Auto GitHub Actions annotations** — when `GITHUB_ACTIONS=true`, `emitAnnotations()` fires after every run and writes `::error`/`::warning`/`::notice` workflow commands to stdout; GitHub renders these as inline annotations on the PR diff
+- **`src/formatters/`** — pure formatter modules (`sarif.ts`, `github-annotations.ts`) with full command-injection encoding (`%`, `\r`, `\n`, `:`, `,`) for annotation properties and data
+- **`action.yml`** composite action — checkout → setup-node@v4 → npx autopilot run → upload-sarif@v3; inputs: `version`, `config`, `sarif-output`, `openai-api-key`; upload step runs `if: always()` so findings surface even when run exits 1
+- 21 new formatter tests (11 SARIF + 10 annotations) → **95 total**
+
 ## 1.0.0-alpha.4 (2026-04-21)
 
 ### New Features

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "1.0.0-alpha.4",
+  "version": "1.0.0-alpha.6",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": ["claude", "autopilot", "ai", "pipeline", "code-review", "cli"],
@@ -20,12 +20,15 @@
     "src/",
     "presets/",
     "scripts/test-runner.mjs",
+    "scripts/autoregress.ts",
+    "tests/snapshots/",
     "CHANGELOG.md"
   ],
   "scripts": {
     "test": "node scripts/test-runner.mjs",
     "typecheck": "tsc --noEmit",
-    "build": "tsc"
+    "build": "tsc",
+    "autoregress": "tsx scripts/autoregress.ts"
   },
   "devDependencies": {
     "@types/js-yaml": "^4",

package/scripts/autoregress.ts

@@ -0,0 +1,268 @@
+#!/usr/bin/env node
+// scripts/autoregress.ts
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { execSync, spawnSync } from 'node:child_process';
+import { fileURLToPath } from 'node:url';
+import { selectSnapshots } from '../src/snapshots/impact-selector.ts';
+import OpenAI from 'openai';
+import { buildImportMap } from '../src/snapshots/import-scanner.ts';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT = path.resolve(__dirname, '..');
+const SNAPSHOTS_DIR = path.join(ROOT, 'tests', 'snapshots');
+const INDEX_PATH = path.join(SNAPSHOTS_DIR, 'index.json');
+const IMPORT_MAP_PATH = path.join(SNAPSHOTS_DIR, 'import-map.json');
+const BASELINES_DIR = path.join(SNAPSHOTS_DIR, 'baselines');
+
+function loadJson<T>(p: string, fallback: T): T {
+  try { return JSON.parse(fs.readFileSync(p, 'utf8')) as T; } catch { return fallback; }
+}
+
+function getChangedFiles(since?: string): string[] | null {
+  try {
+    const base = since
+      ? since
+      : execSync('git merge-base origin/main HEAD', { cwd: ROOT }).toString().trim();
+    const out = execSync(`git diff ${base} HEAD --name-only`, { cwd: ROOT }).toString();
+    return out.trim().split('\n').filter(Boolean);
+  } catch { return null; }
+}
+
+function allSnapFiles(): string[] {
+  if (!fs.existsSync(SNAPSHOTS_DIR)) return [];
+  return fs.readdirSync(SNAPSHOTS_DIR)
+    .filter(f => f.endsWith('.snap.ts'))
+    .map(f => path.join('tests', 'snapshots', f));
+}
+
+function runSnapshot(snapFile: string, capture: boolean): 'pass' | 'fail' | 'baseline-missing' | 'stale' {
+  const absSnap = path.join(ROOT, snapFile);
+  const content = fs.readFileSync(absSnap, 'utf8');
+  const forMatch = content.match(/@snapshot-for:\s*(.+)/);
+  if (forMatch) {
+    const src = forMatch[1]!.trim();
+    if (!fs.existsSync(path.join(ROOT, src))) {
+      console.warn(`  [warn] stale — source gone: ${src}`);
+      return 'stale';
+    }
+  }
+
+  const slug = path.basename(snapFile, '.snap.ts');
+  const baselinePath = path.join(BASELINES_DIR, `${slug}.json`);
+  if (!capture && !fs.existsSync(baselinePath)) {
+    console.error(`  [fail] baseline missing: ${baselinePath}`);
+    return 'baseline-missing';
+  }
+
+  const env = { ...process.env };
+  if (capture) env.CAPTURE_BASELINE = '1';
+  else delete env.CAPTURE_BASELINE;
+
+  const result = spawnSync('node', ['--test', '--import', 'tsx', absSnap], {
+    stdio: ['ignore', 'pipe', 'pipe'],
+    cwd: ROOT,
+    env,
+  });
+
+  if (result.status === 0) return 'pass';
+  if (capture) return 'pass';
+  console.error(`    ${(result.stderr?.toString() ?? '') || (result.stdout?.toString() ?? '')}`);
+  return 'fail';
+}
+
+function cmdRun(args: string[]): number {
+  const runAll = args.includes('--all');
+  const sinceIdx = args.indexOf('--since');
+  const since = sinceIdx >= 0 ? args[sinceIdx + 1] : undefined;
+  const index = loadJson<Record<string, string[]>>(INDEX_PATH, {});
+  const importMap = loadJson<Record<string, string[]>>(IMPORT_MAP_PATH, {});
+  const snapFiles = allSnapFiles();
+
+  let selected: string[];
+  if (runAll || snapFiles.length === 0) {
+    selected = snapFiles;
+    console.log(`[autoregress run] --all: running ${snapFiles.length} snapshot(s)`);
+  } else {
+    const changed = getChangedFiles(since);
+    if (!changed) {
+      console.warn('[autoregress run] merge-base resolution failed — running all');
+      selected = snapFiles;
+    } else {
+      const r = selectSnapshots(changed, snapFiles, index, importMap);
+      selected = r.selected;
+      console.log(`[autoregress run] ${r.reason} (${selected.length}/${snapFiles.length})`);
+    }
+  }
+
+  if (selected.length === 0) {
+    console.log('[autoregress run] no snapshots to run — pass');
+    return 0;
+  }
+
+  let passed = 0, failed = 0, missing = 0, stale = 0;
+  for (const snap of selected) {
+    process.stdout.write(`  ${snap} ... `);
+    const v = runSnapshot(snap, false);
+    if (v === 'pass') { passed++; console.log('pass'); }
+    else if (v === 'fail') { failed++; console.log('FAIL'); }
+    else if (v === 'baseline-missing') { missing++; console.log('BASELINE MISSING'); }
+    else { stale++; console.log('stale (skipped)'); }
+  }
+  console.log(`\n  ${passed} passed  ${failed} failed  ${missing} baseline-missing  ${stale} stale`);
+  return failed > 0 || missing > 0 ? 1 : 0;
+}
+
+function cmdUpdate(args: string[]): number {
+  const snapIdx = args.indexOf('--snapshot');
+  const slug = snapIdx >= 0 ? args[snapIdx + 1] : undefined;
+  const snapFiles = slug
+    ? [path.join('tests', 'snapshots', `${slug}.snap.ts`)]
+    : allSnapFiles();
+  console.log(`[autoregress update] rewriting ${snapFiles.length} baseline(s)`);
+  let failed = 0;
+  for (const snap of snapFiles) {
+    const absSnap = path.join(ROOT, snap);
+    if (!fs.existsSync(absSnap)) {
+      console.error(`  [error] snapshot file not found: ${snap}`);
+      failed++;
+      continue;
+    }
+    process.stdout.write(`  ${snap} ... `);
+    runSnapshot(snap, true);
+    console.log('updated');
+  }
+  return failed > 0 ? 1 : 0;
+}
+
+const GENERATOR_VERSION = '1.0.0-alpha.6';
+
+const GENERATE_PROMPT = `You are generating a behavioral snapshot test for a TypeScript module.
+
+Module path: {filePath}
+Module contents:
+{fileContents}
+
+Write a snapshot test file. Requirements:
+1. Header comments at top:
+   // @snapshot-for: {filePath}
+   // @generated-at: {generatedAt}
+   // @source-commit: {sourceCommit}
+   // @generator-version: {version}
+2. Import the module's exported functions under test
+3. Import { normalizeSnapshot } from '../../src/snapshots/serializer.ts'
+4. Import fs from 'node:fs', describe/it from 'node:test', assert from 'node:assert/strict'
+5. Baseline loading pattern (use slug {slug}):
+   const SLUG = '{slug}';
+   import { fileURLToPath } from 'node:url';
+   const baselineRaw = process.env.CAPTURE_BASELINE === '1' ? '{}' : fs.readFileSync(fileURLToPath(new URL('./baselines/{slug}.json', import.meta.url)), 'utf8');
+   const baseline = JSON.parse(baselineRaw);
+   const captured: Record<string, unknown> = {};
+   process.on('exit', () => {
+     if (process.env.CAPTURE_BASELINE === '1') {
+       const p = fileURLToPath(new URL('./baselines/{slug}.json', import.meta.url));
+       fs.writeFileSync(p, JSON.stringify(captured, null, 2), 'utf8');
+     }
+   });
+6. In each test: if (process.env.CAPTURE_BASELINE === '1') { captured['test-name'] = result; return; }
+   Else: assert.equal(normalizeSnapshot(result), normalizeSnapshot(baseline['test-name']));
+7. Write 2-4 it() tests covering representative behaviors
+8. Output ONLY the TypeScript file contents, no markdown fences, no explanation`;
+
+async function cmdGenerate(args: string[]): Promise<number> {
+  const apiKey = process.env.OPENAI_API_KEY;
+  if (!apiKey) { console.error('[autoregress generate] OPENAI_API_KEY not set'); return 1; }
+
+  const sinceIdx = args.indexOf('--since');
+  const since = sinceIdx >= 0 ? args[sinceIdx + 1] : undefined;
+  const changed = getChangedFiles(since);
+  if (!changed) { console.error('[autoregress generate] could not determine changed files'); return 1; }
+
+  const srcFiles = changed.filter(f => f.startsWith('src/') && f.endsWith('.ts'));
+  if (srcFiles.length === 0) {
+    console.log('[autoregress generate] no src/*.ts files changed — nothing to generate');
+    return 0;
+  }
+
+  console.log(`[autoregress generate] generating snapshots for ${srcFiles.length} file(s)`);
+
+  const client = new OpenAI({ apiKey });
+  let sourceCommit = 'unknown';
+  try { sourceCommit = execSync('git rev-parse --short HEAD', { cwd: ROOT }).toString().trim(); } catch {}
+  const generatedAt = new Date().toISOString();
+
+  for (const srcFile of srcFiles) {
+    const absFile = path.join(ROOT, srcFile);
+    if (!fs.existsSync(absFile)) { console.warn(`  skip (not found): ${srcFile}`); continue; }
+
+    const fileContents = fs.readFileSync(absFile, 'utf8');
+    const slug = srcFile.replace(/[/\\]/g, '-').replace(/\.ts$/, '');
+
+    process.stdout.write(`  ${srcFile} → ${slug}.snap.ts ... `);
+
+    const prompt = GENERATE_PROMPT
+      .replace(/{filePath}/g, srcFile)
+      .replace(/{fileContents}/g, fileContents)
+      .replace(/{slug}/g, slug)
+      .replace(/{version}/g, GENERATOR_VERSION)
+      .replace(/{generatedAt}/g, generatedAt)
+      .replace(/{sourceCommit}/g, sourceCommit);
+
+    let snapContent: string;
+    try {
+      const response = await client.responses.create({
+        model: process.env.CODEX_MODEL ?? 'gpt-5.3-codex',
+        instructions: 'You write TypeScript snapshot tests. Output ONLY the file contents, no markdown fences.',
+        input: prompt,
+        max_output_tokens: 2000,
+      });
+      snapContent = (response.output_text ?? '').replace(/^```typescript\n?/m, '').replace(/```$/m, '').trim();
+    } catch (err) {
+      console.error(`LLM error: ${err instanceof Error ? err.message : String(err)}`);
+      continue;
+    }
+
+    const snapPath = path.join(SNAPSHOTS_DIR, `${slug}.snap.ts`);
+    fs.writeFileSync(snapPath, snapContent + '\n', 'utf8');
+
+    const captureResult = spawnSync('node', ['--test', '--import', 'tsx', snapPath], {
+      stdio: ['ignore', 'pipe', 'pipe'],
+      cwd: ROOT,
+      env: { ...process.env, CAPTURE_BASELINE: '1' },
+    });
+    const baselinePath = path.join(BASELINES_DIR, `${slug}.json`);
+    console.log(fs.existsSync(baselinePath) ? 'generated + baseline captured' :
+      `generated (capture failed: ${captureResult.stderr?.toString().slice(0, 60)})`);
+  }
+
+  // Rebuild index.json from @snapshot-for headers
+  const newIndex: Record<string, string[]> = {};
+  for (const f of fs.readdirSync(SNAPSHOTS_DIR).filter(x => x.endsWith('.snap.ts'))) {
+    const snapRelPath = path.join('tests', 'snapshots', f);
+    const content = fs.readFileSync(path.join(SNAPSHOTS_DIR, f), 'utf8');
+    const sources = [...content.matchAll(/@snapshot-for:\s*(.+)/g)].map(m => m[1]!.trim());
+    if (sources.length) newIndex[snapRelPath] = sources;
+  }
+  fs.writeFileSync(INDEX_PATH, JSON.stringify(newIndex, null, 2) + '\n', 'utf8');
+
+  // Rebuild import-map.json — prefix keys/values with 'src/' to match repo-relative git diff paths
+  const rawImportMap = buildImportMap(path.join(ROOT, 'src'));
+  const newImportMap: Record<string, string[]> = {};
+  for (const [dep, importers] of Object.entries(rawImportMap)) {
+    newImportMap[`src/${dep}`] = importers.map(i => `src/${i}`);
+  }
+  fs.writeFileSync(IMPORT_MAP_PATH, JSON.stringify(newImportMap, null, 2) + '\n', 'utf8');
+
+  console.log('\n[autoregress generate] index.json + import-map.json rebuilt');
+  return 0;
+}
+
+const [,, subcmd, ...rest] = process.argv;
+switch (subcmd) {
+  case 'run': process.exit(cmdRun(rest)); break;
+  case 'update': process.exit(cmdUpdate(rest)); break;
+  case 'generate': process.exit(await cmdGenerate(rest)); break;
+  default:
+    console.error(`[autoregress] unknown subcommand: ${subcmd ?? '(none)'}`);
+    process.exit(1);
+}

package/src/cli/index.ts

@@ -17,7 +17,7 @@ import { runWatch } from './watch.ts';
 const args = process.argv.slice(2);
 
 const SUBCOMMANDS = ['init', 'run', 'preflight', 'help', '--help', '-h'] as const;
-const VALUE_FLAGS = ['base', 'config', 'files'];
+const VALUE_FLAGS = ['base', 'config', 'files', 'format', 'output', 'debounce'];
 
 // Detect first non-flag arg as subcommand, default to 'run'
 const subcommand = (args[0] && !args[0].startsWith('--')) ? args[0] : 'run';
@@ -53,6 +53,8 @@ Options (run):
   --config <path>      Path to config file (default: ./autopilot.config.yaml)
   --files <a,b,c>      Explicit comma-separated file list (skips git detection)
   --dry-run            Show what would run without executing
+  --format <text|sarif>  Output format (default: text)
+  --output <path>        Output file path (required with --format sarif)
 
 Options (watch):
   --config <path>      Path to config file (default: ./autopilot.config.yaml)
@@ -92,12 +94,25 @@ switch (subcommand) {
     const config = flag('config');
     const filesArg = flag('files');
     const dryRun = boolFlag('dry-run');
+    const formatArg = flag('format');
+    const outputPath = flag('output');
+
+    if (formatArg && formatArg !== 'text' && formatArg !== 'sarif') {
+      console.error(`\x1b[31m[autopilot] --format must be "text" or "sarif"\x1b[0m`);
+      process.exit(1);
+    }
+    if (formatArg === 'sarif' && !outputPath) {
+      console.error(`\x1b[31m[autopilot] --format sarif requires --output <path>\x1b[0m`);
+      process.exit(1);
+    }
 
     const code = await runCommand({
       base,
       configPath: config,
       files: filesArg ? filesArg.split(',').map(f => f.trim()) : undefined,
       dryRun,
+      format: formatArg as 'text' | 'sarif' | undefined,
+      outputPath,
     });
     process.exit(code);
     break;

package/src/cli/run.ts

@@ -10,6 +10,14 @@ import { resolveGitTouchedFiles } from '../core/git/touched-files.ts';
 import type { RunInput } from '../core/pipeline/run.ts';
 import type { ReviewEngine } from '../adapters/review-engine/types.ts';
 import type { AutopilotConfig } from '../core/config/types.ts';
+import { fileURLToPath } from 'node:url';
+import { toSarif } from '../formatters/sarif.ts';
+import { emitAnnotations } from '../formatters/github-annotations.ts';
+
+function readToolVersion(): string {
+  const pkgPath = path.join(path.dirname(fileURLToPath(import.meta.url)), '../../package.json');
+  return (JSON.parse(fs.readFileSync(pkgPath, 'utf8')) as { version: string }).version;
+}
 
 const C = {
   reset: '\x1b[0m',
@@ -31,6 +39,8 @@ export interface RunCommandOptions {
   base?: string;       // git base ref (default HEAD~1)
   files?: string[];    // explicit file list (skips git detection)
   dryRun?: boolean;    // skip review, print what would run
+  format?: 'text' | 'sarif';
+  outputPath?: string;
 }
 
 /**
@@ -109,6 +119,17 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
   console.log('');
   const result = await runAutopilot(input);
 
+  // emitAnnotations is a no-op unless GITHUB_ACTIONS=true
+  emitAnnotations(result.allFindings);
+
+  // Write SARIF output if requested
+  if (options.format === 'sarif' && options.outputPath) {
+    const sarif = toSarif(result, { toolVersion: readToolVersion(), cwd });
+    fs.mkdirSync(path.dirname(path.resolve(options.outputPath)), { recursive: true });
+    fs.writeFileSync(options.outputPath, JSON.stringify(sarif, null, 2), 'utf8');
+    console.log(fmt('dim', `[run] SARIF written to ${options.outputPath}`));
+  }
+
   // Print phase summaries
   for (const phase of result.phases) {
     const icon = phase.status === 'pass' ? fmt('green', '✓') :

package/src/formatters/github-annotations.ts

@@ -0,0 +1,36 @@
+import type { Finding } from '../core/findings/types.ts';
+
+export function encodeAnnotationProperty(s: string): string {
+  return s
+    .replace(/%/g, '%25')
+    .replace(/\r/g, '%0D')
+    .replace(/\n/g, '%0A')
+    .replace(/:/g, '%3A')
+    .replace(/,/g, '%2C');
+}
+
+export function encodeAnnotationData(s: string): string {
+  return s
+    .replace(/%/g, '%25')
+    .replace(/\r/g, '%0D')
+    .replace(/\n/g, '%0A');
+}
+
+function severityToCommand(s: Finding['severity']): 'error' | 'warning' | 'notice' {
+  if (s === 'critical') return 'error';
+  if (s === 'warning') return 'warning';
+  return 'notice';
+}
+
+export function emitAnnotations(findings: Finding[]): void {
+  if (process.env.GITHUB_ACTIONS !== 'true') return;
+  for (const f of findings) {
+    const cmd = severityToCommand(f.severity);
+    const props: string[] = [`file=${encodeAnnotationProperty(f.file)}`];
+    if (f.line !== undefined) {
+      props.push(`line=${f.line}`, `endLine=${f.line}`);
+    }
+    props.push(`title=${encodeAnnotationProperty(f.category)}`);
+    process.stdout.write(`::${cmd} ${props.join(',')}::${encodeAnnotationData(f.message)}\n`);
+  }
+}

package/src/formatters/index.ts

@@ -0,0 +1,3 @@
+export { toSarif, normalizeSarifUri } from './sarif.ts';
+export type { SarifLog } from './sarif.ts';
+export { emitAnnotations, encodeAnnotationProperty, encodeAnnotationData } from './github-annotations.ts';

package/src/formatters/sarif.ts

@@ -0,0 +1,103 @@
+import * as path from 'node:path';
+import type { RunResult } from '../core/pipeline/run.ts';
+import type { Finding } from '../core/findings/types.ts';
+
+interface SarifLog {
+  $schema: string;
+  version: '2.1.0';
+  runs: SarifRun[];
+}
+interface SarifRun {
+  tool: { driver: SarifDriver };
+  results: SarifResult[];
+}
+interface SarifDriver {
+  name: string;
+  version: string;
+  informationUri: string;
+  rules: SarifRule[];
+}
+interface SarifRule {
+  id: string;
+  name: string;
+  shortDescription: { text: string };
+}
+interface SarifResult {
+  ruleId: string;
+  level: 'error' | 'warning' | 'note';
+  message: { text: string };
+  locations: SarifLocation[];
+  fixes?: Array<{ description: { text: string } }>;
+}
+interface SarifLocation {
+  physicalLocation: {
+    artifactLocation: { uri: string; uriBaseId: string };
+    region?: { startLine: number };
+  };
+}
+
+export type { SarifLog };
+
+export function normalizeSarifUri(file: string, cwd: string): string {
+  let rel = path.isAbsolute(file) ? path.relative(cwd, file) : file;
+  rel = rel.replace(/\\/g, '/');
+  if (rel.startsWith('./')) rel = rel.slice(2);
+  if (rel.startsWith('../')) rel = file.replace(/\\/g, '/');
+  return rel;
+}
+
+function severityToLevel(s: Finding['severity']): 'error' | 'warning' | 'note' {
+  if (s === 'critical') return 'error';
+  if (s === 'warning') return 'warning';
+  return 'note';
+}
+
+export function toSarif(
+  result: RunResult,
+  opts: { toolVersion: string; cwd?: string },
+): SarifLog {
+  const cwd = opts.cwd ?? process.cwd();
+
+  const rulesMap = new Map<string, SarifRule>();
+  for (const f of result.allFindings) {
+    if (!rulesMap.has(f.category)) {
+      rulesMap.set(f.category, {
+        id: f.category,
+        name: f.category,
+        shortDescription: { text: f.category },
+      });
+    }
+  }
+
+  const results: SarifResult[] = result.allFindings.map(f => {
+    const r: SarifResult = {
+      ruleId: f.category,
+      level: severityToLevel(f.severity),
+      message: { text: f.message },
+      locations: [{
+        physicalLocation: {
+          artifactLocation: { uri: normalizeSarifUri(f.file, cwd), uriBaseId: '%SRCROOT%' },
+          ...(f.line !== undefined ? { region: { startLine: f.line } } : {}),
+        },
+      }],
+    };
+    if (f.suggestion) r.fixes = [{ description: { text: f.suggestion } }];
+    return r;
+  });
+
+  return {
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    version: '2.1.0',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'claude-autopilot',
+          version: opts.toolVersion,
+          informationUri: 'https://github.com/axledbetter/claude-autopilot',
+          rules: [...rulesMap.values()],
+        },
+      },
+      results,
+    }],
+  };
+}

package/src/snapshots/impact-selector.ts

@@ -0,0 +1,60 @@
+const HIGH_IMPACT_PATTERNS = [
+  /^src\/core\/pipeline\//,
+  /^src\/adapters\//,
+  /^src\/core\/findings\//,
+  /^src\/core\/config\//,
+];
+
+export interface SelectResult {
+  selected: string[];
+  fullRun: boolean;
+  reason: string;
+}
+
+export function selectSnapshots(
+  changedFiles: string[],
+  allSnapshotFiles: string[],
+  index: Record<string, string[]>,
+  importMap: Record<string, string[]>,
+  options: { highImpactPatterns?: RegExp[]; volumeThreshold?: number } = {},
+): SelectResult {
+  const patterns = options.highImpactPatterns ?? HIGH_IMPACT_PATTERNS;
+  const volumeThreshold = options.volumeThreshold ?? 10;
+
+  if (changedFiles.length > volumeThreshold) {
+    return { selected: allSnapshotFiles, fullRun: true, reason: 'volume override (>10 files changed)' };
+  }
+
+  for (const f of changedFiles) {
+    for (const p of patterns) {
+      if (p.test(f)) {
+        return { selected: allSnapshotFiles, fullRun: true, reason: `high-impact path matched: ${f}` };
+      }
+    }
+  }
+
+  // Build: sourceFile → snapFiles that cover it
+  const sourceToSnaps: Record<string, string[]> = {};
+  for (const [snapFile, sources] of Object.entries(index)) {
+    for (const src of sources) {
+      if (!sourceToSnaps[src]) sourceToSnaps[src] = [];
+      sourceToSnaps[src]!.push(snapFile);
+    }
+  }
+
+  const selected = new Set<string>();
+  for (const changed of changedFiles) {
+    for (const snap of sourceToSnaps[changed] ?? []) selected.add(snap);
+    for (const importer of importMap[changed] ?? []) {
+      for (const snap of sourceToSnaps[importer] ?? []) selected.add(snap);
+    }
+  }
+
+  return {
+    selected: [...selected],
+    fullRun: false,
+    reason: selected.size === 0
+      ? 'no snapshots matched changed files'
+      : `${selected.size} snapshot(s) selected`,
+  };
+}

package/src/snapshots/import-scanner.ts

@@ -0,0 +1,44 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const IMPORT_RE = /^(?:import|export)\s+(?:.*?from\s+)?['"]([^'"]+)['"]/gm;
+
+function allTsFiles(dir: string): string[] {
+  const results: string[] = [];
+  for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+    const full = path.join(dir, entry.name);
+    if (entry.isDirectory()) results.push(...allTsFiles(full));
+    else if (entry.isFile() && entry.name.endsWith('.ts')) results.push(full);
+  }
+  return results;
+}
+
+function resolveImport(importer: string, specifier: string, srcDir: string): string | null {
+  if (!specifier.startsWith('.')) return null;
+  const abs = path.resolve(path.dirname(importer), specifier);
+  const withExt = abs.endsWith('.ts') ? abs : abs + '.ts';
+  const rel = path.relative(srcDir, withExt).replace(/\\/g, '/');
+  if (rel.startsWith('..')) return null;
+  return rel;
+}
+
+export function buildImportMap(srcDir: string): Record<string, string[]> {
+  const absDir = path.resolve(srcDir);
+  const files = allTsFiles(absDir);
+  const map: Record<string, string[]> = {};
+
+  for (const file of files) {
+    const relImporter = path.relative(absDir, file).replace(/\\/g, '/');
+    const content = fs.readFileSync(file, 'utf8');
+    let m: RegExpExecArray | null;
+    IMPORT_RE.lastIndex = 0;
+    while ((m = IMPORT_RE.exec(content)) !== null) {
+      const resolved = resolveImport(file, m[1]!, absDir);
+      if (!resolved) continue;
+      if (!map[resolved]) map[resolved] = [];
+      if (!map[resolved]!.includes(relImporter)) map[resolved]!.push(relImporter);
+    }
+  }
+
+  return map;
+}

package/src/snapshots/serializer.ts

@@ -0,0 +1,24 @@
+const ISO_TS_RE = /^\d{4}-\d{2}-\d{2}T/;
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-/i;
+
+function normalizeValue(value: unknown, cwd?: string): unknown {
+  if (typeof value === 'string') {
+    if (ISO_TS_RE.test(value)) return '<timestamp>';
+    if (UUID_RE.test(value)) return '<uuid>';
+    if (cwd && value.startsWith(cwd + '/')) return value.slice(cwd.length + 1);
+    return value;
+  }
+  if (Array.isArray(value)) return value.map(v => normalizeValue(v, cwd));
+  if (value !== null && typeof value === 'object') {
+    const sorted: Record<string, unknown> = {};
+    for (const key of Object.keys(value as object).sort()) {
+      sorted[key] = normalizeValue((value as Record<string, unknown>)[key], cwd);
+    }
+    return sorted;
+  }
+  return value;
+}
+
+export function normalizeSnapshot(value: unknown, cwd?: string): string {
+  return JSON.stringify(normalizeValue(value, cwd), null, 2);
+}

package/tests/snapshots/import-map.json

@@ -0,0 +1 @@
+{}

package/tests/snapshots/index.json

@@ -0,0 +1 @@
+{}