@delegance/claude-autopilot 1.3.1 → 1.5.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delegance/claude-autopilot",
-  "version": "1.3.1",
+  "version": "1.5.0",
   "type": "module",
   "description": "Claude Code automation pipeline: spec → plan → implement → validate → PR",
   "keywords": [
@@ -46,6 +46,7 @@
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.90.0",
+    "@google/generative-ai": "^0.24.1",
     "ajv": "^8",
     "dotenv": ">=16",
     "js-yaml": "^4",

package/src/adapters/loader.ts

@@ -16,6 +16,8 @@ const BUILTIN_PATHS: Record<IntegrationPoint, Record<string, string>> = {
   'review-engine': {
     codex: './review-engine/codex.ts',
     claude: './review-engine/claude.ts',
+    gemini: './review-engine/gemini.ts',
+    'openai-compatible': './review-engine/openai-compatible.ts',
     auto: './review-engine/auto.ts',
   },
   'vcs-host': { github: './vcs-host/github.ts' },

package/src/adapters/review-engine/auto.ts

@@ -2,19 +2,42 @@ import type { Capabilities } from '../base.ts';
 import type { ReviewEngine, ReviewInput, ReviewOutput } from './types.ts';
 import { AutopilotError } from '../../core/errors.ts';
 
-// Priority order: ANTHROPIC_API_KEY → claude, OPENAI_API_KEY → codex
+// Priority order for key detection
 async function resolveAdapter(): Promise<ReviewEngine> {
   if (process.env.ANTHROPIC_API_KEY) {
     const { claudeAdapter } = await import('./claude.ts');
     return claudeAdapter;
   }
+  if (process.env.GEMINI_API_KEY || process.env.GOOGLE_API_KEY) {
+    const { geminiAdapter } = await import('./gemini.ts');
+    return geminiAdapter;
+  }
   if (process.env.OPENAI_API_KEY) {
     const { codexAdapter } = await import('./codex.ts');
     return codexAdapter;
   }
+  if (process.env.GROQ_API_KEY) {
+    const { openaiCompatibleAdapter } = await import('./openai-compatible.ts');
+    // Wrap with Groq config injected into review() context
+    return {
+      ...openaiCompatibleAdapter,
+      name: 'auto',
+      review(input: ReviewInput) {
+        return openaiCompatibleAdapter.review({
+          ...input,
+          context: {
+            ...input.context,
+            model: 'llama-3.3-70b-versatile',
+            baseUrl: 'https://api.groq.com/openai/v1',
+            apiKeyEnv: 'GROQ_API_KEY',
+          } as typeof input.context,
+        });
+      },
+    };
+  }
   throw new AutopilotError(
-    'No LLM API key found — set ANTHROPIC_API_KEY (recommended) or OPENAI_API_KEY to enable review',
-    { code: 'auth', provider: 'auto' }
+    'No LLM API key found. Set one of: ANTHROPIC_API_KEY, GEMINI_API_KEY, OPENAI_API_KEY, GROQ_API_KEY',
+    { code: 'auth', provider: 'auto' },
   );
 }
 

package/src/adapters/review-engine/gemini.ts

@@ -0,0 +1,131 @@
+import { GoogleGenerativeAI } from '@google/generative-ai';
+import type { Finding } from '../../core/findings/types.ts';
+import { AutopilotError } from '../../core/errors.ts';
+import type { Capabilities } from '../base.ts';
+import type { ReviewEngine, ReviewInput, ReviewOutput } from './types.ts';
+
+const DEFAULT_MODEL = 'gemini-2.5-pro-preview-05-06';
+const MAX_OUTPUT_TOKENS = 4096;
+
+// Cost per million tokens (USD) — gemini-2.5-pro pricing (<200k context)
+const COST_PER_M_INPUT = 1.25;
+const COST_PER_M_OUTPUT = 10.0;
+
+const PROMPT_TEMPLATE = `You are a senior software architect reviewing code changes for quality, security, and correctness.
+
+The codebase context:
+{STACK}
+
+Please review the following:
+
+---
+
+{CONTENT}
+
+---
+
+Provide structured feedback in exactly this format:
+
+## Review Summary
+One paragraph overall assessment.
+
+## Findings
+
+For each finding, use this format:
+### [CRITICAL|WARNING|NOTE] <short title>
+<explanation>
+**Suggestion:** <actionable fix>
+
+Rules:
+- CRITICAL: Blocks merge (security issues, data loss risks, broken contracts)
+- WARNING: Should address before merging (logic errors, missing error handling, test gaps)
+- NOTE: Improvement suggestion (style, performance, clarity)
+- Maximum 10 findings, ranked by severity
+- Be specific and constructive
+- Reference the file and line when possible`;
+
+export const geminiAdapter: ReviewEngine = {
+  name: 'gemini',
+  apiVersion: '1.0.0',
+
+  getCapabilities(): Capabilities {
+    return { structuredOutput: false, streaming: false, maxContextTokens: 1000000, inlineComments: false };
+  },
+
+  estimateTokens(content: string): number {
+    return Math.ceil(content.length / 4);
+  },
+
+  async review(input: ReviewInput): Promise<ReviewOutput> {
+    const apiKey = process.env.GEMINI_API_KEY ?? process.env.GOOGLE_API_KEY;
+    if (!apiKey) {
+      throw new AutopilotError('GEMINI_API_KEY (or GOOGLE_API_KEY) not set', { code: 'auth', provider: 'gemini' });
+    }
+
+    const model = (input.context as Record<string, unknown> | undefined)?.['model'] as string | undefined ?? DEFAULT_MODEL;
+    const stack = input.context?.stack ?? 'A web application — stack details unspecified.';
+    const prompt = PROMPT_TEMPLATE.replace('{STACK}', stack).replace('{CONTENT}', input.content);
+
+    const genAI = new GoogleGenerativeAI(apiKey);
+    const genModel = genAI.getGenerativeModel({
+      model,
+      generationConfig: { maxOutputTokens: MAX_OUTPUT_TOKENS },
+    });
+
+    let result: Awaited<ReturnType<typeof genModel.generateContent>>;
+    try {
+      result = await genModel.generateContent(prompt);
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      const isRateLimit = /rate.limit|429|quota/i.test(message);
+      const isAuth = /api.key|unauthorized|403/i.test(message);
+      throw new AutopilotError(`Gemini review call failed: ${message}`, {
+        code: isAuth ? 'auth' : isRateLimit ? 'rate_limit' : 'transient_network',
+        provider: 'gemini',
+        retryable: isRateLimit,
+      });
+    }
+
+    const rawOutput = result.response.text();
+    const usage = result.response.usageMetadata;
+    const costUSD = usage
+      ? (usage.promptTokenCount / 1_000_000) * COST_PER_M_INPUT +
+        (usage.candidatesTokenCount / 1_000_000) * COST_PER_M_OUTPUT
+      : undefined;
+
+    return {
+      findings: parseGeminiOutput(rawOutput),
+      rawOutput,
+      usage: usage
+        ? { input: usage.promptTokenCount, output: usage.candidatesTokenCount, costUSD }
+        : undefined,
+    };
+  },
+};
+
+export default geminiAdapter;
+
+function parseGeminiOutput(output: string): Finding[] {
+  const findings: Finding[] = [];
+  const regex = /### \[(CRITICAL|WARNING|NOTE)\]\s*(.+?)(?=\n### \[|## Review Summary|$)/gs;
+  let match: RegExpExecArray | null;
+  while ((match = regex.exec(output)) !== null) {
+    const severity = match[1]!.toLowerCase() as Finding['severity'];
+    const body = match[2]!.trim();
+    const titleEnd = body.indexOf('\n');
+    const title = (titleEnd > 0 ? body.slice(0, titleEnd) : body).trim();
+    const suggestion = body.match(/\*\*Suggestion:\*\*\s*(.+)/s)?.[1]?.trim();
+    findings.push({
+      id: `gemini-${findings.length}`,
+      source: 'review-engine',
+      severity,
+      category: 'gemini-review',
+      file: '<unspecified>',
+      message: title,
+      suggestion,
+      protectedPath: false,
+      createdAt: new Date().toISOString(),
+    });
+  }
+  return findings;
+}

package/src/adapters/review-engine/openai-compatible.ts

@@ -0,0 +1,126 @@
+import OpenAI from 'openai';
+import type { Finding } from '../../core/findings/types.ts';
+import { AutopilotError } from '../../core/errors.ts';
+import type { Capabilities } from '../base.ts';
+import type { ReviewEngine, ReviewInput, ReviewOutput } from './types.ts';
+
+const MAX_OUTPUT_TOKENS = 4096;
+
+const SYSTEM_PROMPT_TEMPLATE = `You are a senior software architect reviewing code changes for quality, security, and correctness.
+
+The codebase context:
+{STACK}
+
+Provide structured feedback in exactly this format:
+
+## Review Summary
+One paragraph overall assessment.
+
+## Findings
+
+For each finding, use this format:
+### [CRITICAL|WARNING|NOTE] <short title>
+<explanation>
+**Suggestion:** <actionable fix>
+
+Rules:
+- CRITICAL: Blocks merge (security issues, data loss risks, broken contracts)
+- WARNING: Should address before merging (logic errors, missing error handling, test gaps)
+- NOTE: Improvement suggestion (style, performance, clarity)
+- Maximum 10 findings, ranked by severity
+- Be specific and constructive
+- Reference the file and line when possible`;
+
+export const openaiCompatibleAdapter: ReviewEngine = {
+  name: 'openai-compatible',
+  apiVersion: '1.0.0',
+
+  getCapabilities(): Capabilities {
+    return { structuredOutput: false, streaming: false, maxContextTokens: 128000, inlineComments: false };
+  },
+
+  estimateTokens(content: string): number {
+    return Math.ceil(content.length / 4);
+  },
+
+  async review(input: ReviewInput): Promise<ReviewOutput> {
+    const opts = (input.context as Record<string, unknown> | undefined) ?? {};
+
+    // API key: options.apiKey → named env var → OPENAI_API_KEY
+    const apiKeyEnv = (opts['apiKeyEnv'] as string | undefined) ?? 'OPENAI_API_KEY';
+    const apiKey = (opts['apiKey'] as string | undefined) ?? process.env[apiKeyEnv] ?? 'ollama';
+
+    const baseURL = (opts['baseUrl'] as string | undefined) ??
+      process.env.OPENAI_BASE_URL ??
+      undefined;
+
+    const model = opts['model'] as string | undefined;
+    if (!model) {
+      throw new AutopilotError(
+        'openai-compatible adapter requires options.model to be set in autopilot.config.yaml',
+        { code: 'invalid_config', provider: 'openai-compatible' },
+      );
+    }
+
+    const stack = input.context?.stack ?? 'A web application — stack details unspecified.';
+    const systemPrompt = SYSTEM_PROMPT_TEMPLATE.replace('{STACK}', stack);
+    const client = new OpenAI({ apiKey, ...(baseURL ? { baseURL } : {}) });
+
+    let response: OpenAI.Chat.ChatCompletion;
+    try {
+      response = await client.chat.completions.create({
+        model,
+        max_tokens: MAX_OUTPUT_TOKENS,
+        messages: [
+          { role: 'system', content: systemPrompt },
+          { role: 'user', content: `Please review the following:\n\n---\n\n${input.content}` },
+        ],
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      const isRateLimit = /rate.limit|429/i.test(message);
+      const isAuth = /unauthorized|401|invalid.api.key/i.test(message);
+      throw new AutopilotError(`openai-compatible review call failed: ${message}`, {
+        code: isAuth ? 'auth' : isRateLimit ? 'rate_limit' : 'transient_network',
+        provider: 'openai-compatible',
+        retryable: isRateLimit,
+      });
+    }
+
+    const rawOutput = response.choices[0]?.message.content ?? '';
+    return {
+      findings: parseOutput(rawOutput),
+      rawOutput,
+      usage: response.usage
+        ? { input: response.usage.prompt_tokens, output: response.usage.completion_tokens }
+        : undefined,
+    };
+  },
+};
+
+export default openaiCompatibleAdapter;
+
+function parseOutput(output: string): Finding[] {
+  const findings: Finding[] = [];
+  const regex = /### \[(CRITICAL|WARNING|NOTE)\]\s*(.+?)(?=\n### \[|## Review Summary|$)/gs;
+  let match: RegExpExecArray | null;
+  while ((match = regex.exec(output)) !== null) {
+    const severity = match[1]!.toLowerCase() as Finding['severity'];
+    const body = match[2]!.trim();
+    const titleEnd = body.indexOf('\n');
+    const title = (titleEnd > 0 ? body.slice(0, titleEnd) : body).trim();
+    const suggestion = body.match(/\*\*Suggestion:\*\*\s*(.+)/s)?.[1]?.trim();
+    findings.push({
+      id: `openai-compatible-${findings.length}`,
+      source: 'review-engine',
+      severity,
+      category: 'openai-compatible-review',
+      file: '<unspecified>',
+      message: title,
+      suggestion,
+      protectedPath: false,
+      createdAt: new Date().toISOString(),
+    });
+  }
+  return findings;
+}

package/src/cli/preflight.ts

@@ -87,14 +87,17 @@ export async function runDoctor(): Promise<DoctorResult> {
       : undefined,
   });
 
-  // 6. OPENAI_API_KEY set
+  // 6. LLM API key (ANTHROPIC_API_KEY preferred, OPENAI_API_KEY as fallback)
   const envVars = envFile ? loadEnvFile(envFile) : {};
+  const hasAnthropic = !!process.env.ANTHROPIC_API_KEY || !!envVars['ANTHROPIC_API_KEY'];
   const hasOpenAI = !!process.env.OPENAI_API_KEY || !!envVars['OPENAI_API_KEY'];
+  const hasLLMKey = hasAnthropic || hasOpenAI;
+  const llmKeyName = hasAnthropic ? 'ANTHROPIC_API_KEY' : hasOpenAI ? 'OPENAI_API_KEY' : 'none';
   checks.push({
-    name: 'OPENAI_API_KEY',
-    result: hasOpenAI ? 'pass' : 'warn',
-    message: !hasOpenAI
-      ? `OPENAI_API_KEY not set — Codex review steps will be skipped`
+    name: `LLM API key (${llmKeyName})`,
+    result: hasLLMKey ? 'pass' : 'warn',
+    message: !hasLLMKey
+      ? `No LLM API key found — set ANTHROPIC_API_KEY (recommended) or OPENAI_API_KEY to enable review`
       : undefined,
   });
 

package/src/cli/run.ts

@@ -21,6 +21,7 @@ for (const f of ENV_FILES) {
 }
 
 import { loadConfig } from '../core/config/loader.ts';
+import { loadRulesFromConfig } from '../core/static-rules/registry.ts';
 import { resolvePreset } from '../core/config/preset-resolver.ts';
 import { mergeConfigs } from '../core/config/preset-resolver.ts';
 import { loadAdapter } from '../adapters/loader.ts';
@@ -111,9 +112,10 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
   let reviewEngine: ReviewEngine | undefined;
   if (config.reviewEngine) {
     const ref = typeof config.reviewEngine === 'string' ? config.reviewEngine : config.reviewEngine.adapter;
-    const hasAnyKey = !!(process.env.ANTHROPIC_API_KEY || process.env.OPENAI_API_KEY);
-    if (!hasAnyKey && (ref === 'auto' || ref === 'claude' || ref === 'codex')) {
-      console.log(fmt('yellow', '\n  [run] No LLM API key found — set ANTHROPIC_API_KEY or OPENAI_API_KEY to enable review'));
+    const hasAnyKey = !!(process.env.ANTHROPIC_API_KEY || process.env.GEMINI_API_KEY ||
+      process.env.GOOGLE_API_KEY || process.env.OPENAI_API_KEY || process.env.GROQ_API_KEY);
+    if (!hasAnyKey && ['auto', 'claude', 'gemini', 'codex', 'openai-compatible'].includes(ref)) {
+      console.log(fmt('yellow', '\n  [run] No LLM API key found — set ANTHROPIC_API_KEY, GEMINI_API_KEY, OPENAI_API_KEY, or GROQ_API_KEY to enable review'));
     } else {
       try {
         reviewEngine = await loadAdapter<ReviewEngine>({
@@ -127,11 +129,17 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     }
   }
 
+  // Load static rules from config
+  const staticRules = config.staticRules && config.staticRules.length > 0
+    ? await loadRulesFromConfig(config.staticRules)
+    : [];
+
   // Execute pipeline
   const input: RunInput = {
     touchedFiles,
     config,
     reviewEngine,
+    staticRules,
     cwd,
   };
 

package/src/core/static-rules/registry.ts

@@ -0,0 +1,42 @@
+import type { StaticRule } from '../phases/static-rules.ts';
+import type { StaticRuleReference } from '../config/types.ts';
+
+// Built-in cross-stack rules
+const BUILTIN: Record<string, () => Promise<StaticRule>> = {
+  'hardcoded-secrets': () => import('./rules/hardcoded-secrets.ts').then(m => m.hardcodedSecretsRule),
+  'npm-audit':         () => import('./rules/npm-audit.ts').then(m => m.npmAuditRule),
+  'package-lock-sync': () => import('./rules/package-lock-sync.ts').then(m => m.packageLockSyncRule),
+  'console-log':       () => import('./rules/console-log.ts').then(m => m.consoleLogRule),
+  'todo-fixme':        () => import('./rules/todo-fixme.ts').then(m => m.todoFixmeRule),
+  'large-file':        () => import('./rules/large-file.ts').then(m => m.largeFileRule),
+  'missing-tests':     () => import('./rules/missing-tests.ts').then(m => m.missingTestsRule),
+};
+
+// Preset-specific rules registered by name
+const PRESET: Record<string, () => Promise<StaticRule>> = {
+  'supabase-rls-bypass': () => import('../../../presets/nextjs-supabase/rules/supabase-rls-bypass.ts').then(m => m.supabaseRlsBypassRule),
+  'go-sql-injection':    () => import('../../../presets/go/rules/go-sql-injection.ts').then(m => m.goSqlInjectionRule),
+  'fastapi-missing-auth': () => import('../../../presets/python-fastapi/rules/fastapi-missing-auth.ts').then(m => m.fastapiMissingAuthRule),
+  't3-server-only':      () => import('../../../presets/t3/rules/t3-server-only.ts').then(m => m.t3ServerOnlyRule),
+  'rails-sql-injection': () => import('../../../presets/rails-postgres/rules/rails-sql-injection.ts').then(m => m.railsSqlInjectionRule),
+};
+
+const ALL = { ...BUILTIN, ...PRESET };
+
+export async function loadRulesFromConfig(refs: StaticRuleReference[]): Promise<StaticRule[]> {
+  const rules: StaticRule[] = [];
+  for (const ref of refs) {
+    const name = typeof ref === 'string' ? ref : ref.adapter;
+    const loader = ALL[name];
+    if (loader) {
+      rules.push(await loader());
+    } else {
+      process.stderr.write(`[autopilot] Unknown static rule: "${name}" — skipping\n`);
+    }
+  }
+  return rules;
+}
+
+export function listAvailableRules(): string[] {
+  return Object.keys(ALL);
+}

package/src/core/static-rules/rules/console-log.ts

@@ -0,0 +1,42 @@
+import * as fs from 'node:fs';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const CONSOLE_CALLS = /\bconsole\.(log|debug|info)\s*\(/;
+const CODE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mts', '.cts', '.mjs', '.cjs']);
+const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
+
+export const consoleLogRule: StaticRule = {
+  name: 'console-log',
+  severity: 'warning',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      const ext = file.slice(file.lastIndexOf('.'));
+      if (!CODE_EXTS.has(ext) || TEST_PATH.test(file)) continue;
+      let content: string;
+      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]!;
+        if (line.trim().startsWith('//')) continue;
+        if (CONSOLE_CALLS.test(line)) {
+          findings.push({
+            id: `console-log:${file}:${i + 1}`,
+            source: 'static-rules',
+            severity: 'warning',
+            category: 'console-log',
+            file,
+            line: i + 1,
+            message: 'console.log/debug/info left in production code',
+            suggestion: 'Remove or replace with a structured logger',
+            protectedPath: false,
+            createdAt: new Date().toISOString(),
+          });
+        }
+      }
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/hardcoded-secrets.ts

@@ -0,0 +1,57 @@
+import * as fs from 'node:fs';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const SECRET_PATTERNS: { regex: RegExp; label: string }[] = [
+  { regex: /\bAKIA[0-9A-Z]{16}\b/, label: 'AWS Access Key ID' },
+  { regex: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{6,}['"]/, label: 'Hardcoded password' },
+  { regex: /(?:api_key|apikey|api-key)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded API key' },
+  { regex: /(?:secret|secret_key|secretkey)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded secret' },
+  { regex: /(?:access_token|accesstoken)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded access token' },
+  { regex: /(?:private_key|privatekey)\s*[:=]\s*['"][^'"]{8,}['"]/, label: 'Hardcoded private key' },
+  { regex: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/, label: 'Private key block' },
+];
+
+// Patterns that indicate a placeholder, not a real secret
+const PLACEHOLDER = /(?:your[-_]?|xxx|placeholder|example|test|fake|dummy|changeme|<[^>]+>)/i;
+const SKIP_EXTS = new Set(['.md', '.txt', '.yaml', '.yml', '.json', '.lock', '.snap']);
+const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
+
+export const hardcodedSecretsRule: StaticRule = {
+  name: 'hardcoded-secrets',
+  severity: 'critical',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      const ext = file.slice(file.lastIndexOf('.'));
+      if (SKIP_EXTS.has(ext) || TEST_PATH.test(file)) continue;
+      let content: string;
+      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i]!;
+        if (line.trim().startsWith('//') || line.trim().startsWith('#')) continue;
+        for (const { regex, label } of SECRET_PATTERNS) {
+          const match = line.match(regex);
+          if (match && !PLACEHOLDER.test(match[0])) {
+            findings.push({
+              id: `hardcoded-secrets:${file}:${i + 1}`,
+              source: 'static-rules',
+              severity: 'critical',
+              category: 'hardcoded-secrets',
+              file,
+              line: i + 1,
+              message: `${label} appears hardcoded`,
+              suggestion: 'Move to environment variable and load via process.env',
+              protectedPath: false,
+              createdAt: new Date().toISOString(),
+            });
+            break;
+          }
+        }
+      }
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/large-file.ts

@@ -0,0 +1,37 @@
+import * as fs from 'node:fs';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const DEFAULT_THRESHOLD = 500;
+const SKIP_EXTS = new Set(['.lock', '.snap', '.map', '.min.js', '.min.css']);
+
+export const largeFileRule: StaticRule = {
+  name: 'large-file',
+  severity: 'note',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const threshold = parseInt(process.env.AUTOPILOT_LARGE_FILE_LINES ?? '', 10) || DEFAULT_THRESHOLD;
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      const ext = file.slice(file.lastIndexOf('.'));
+      if (SKIP_EXTS.has(ext)) continue;
+      let content: string;
+      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
+      const lines = content.split('\n').length;
+      if (lines > threshold) {
+        findings.push({
+          id: `large-file:${file}`,
+          source: 'static-rules',
+          severity: 'note',
+          category: 'large-file',
+          file,
+          message: `File is ${lines} lines (threshold: ${threshold})`,
+          suggestion: 'Consider splitting into smaller, focused modules',
+          protectedPath: false,
+          createdAt: new Date().toISOString(),
+        });
+      }
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/missing-tests.ts

@@ -0,0 +1,57 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const SOURCE_DIRS = ['src/', 'app/', 'lib/', 'utils/'];
+const SOURCE_EXTS = new Set(['.ts', '.tsx', '.js', '.jsx']);
+const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/)/;
+const INDEX_FILE = /(?:^|[/\\])index\.[tj]sx?$/;
+
+function isSourceFile(f: string): boolean {
+  const ext = f.slice(f.lastIndexOf('.'));
+  return SOURCE_EXTS.has(ext) && !TEST_PATH.test(f) && SOURCE_DIRS.some(d => f.startsWith(d));
+}
+
+function hasTestCounterpart(file: string, touchedFiles: Set<string>): boolean {
+  const base = file.replace(/\.[tj]sx?$/, '');
+  const candidates = [
+    `${base}.test.ts`, `${base}.test.tsx`, `${base}.test.js`,
+    `${base}.spec.ts`, `${base}.spec.tsx`, `${base}.spec.js`,
+  ];
+  const dir = path.dirname(file);
+  const name = path.basename(base);
+  candidates.push(
+    `${dir}/__tests__/${name}.test.ts`,
+    `${dir}/__tests__/${name}.test.tsx`,
+    `${dir}/__tests__/${name}.test.js`,
+  );
+  return candidates.some(c => touchedFiles.has(c) || fs.existsSync(c));
+}
+
+export const missingTestsRule: StaticRule = {
+  name: 'missing-tests',
+  severity: 'note',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const touched = new Set(touchedFiles);
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      if (!isSourceFile(file) || INDEX_FILE.test(file)) continue;
+      if (!hasTestCounterpart(file, touched)) {
+        findings.push({
+          id: `missing-tests:${file}`,
+          source: 'static-rules',
+          severity: 'note',
+          category: 'missing-tests',
+          file,
+          message: 'No test file found for this changed source file',
+          suggestion: `Add tests at ${file.replace(/\.[tj]sx?$/, '.test.ts')}`,
+          protectedPath: false,
+          createdAt: new Date().toISOString(),
+        });
+      }
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/npm-audit.ts

@@ -0,0 +1,38 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { runSafe } from '../../shell.ts';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+export const npmAuditRule: StaticRule = {
+  name: 'npm-audit',
+  severity: 'critical',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const cwd = process.cwd();
+    if (!fs.existsSync(path.join(cwd, 'package.json'))) return [];
+
+    const out = runSafe('npm', ['audit', '--json'], { cwd });
+    if (!out) return [];
+
+    let report: { vulnerabilities?: Record<string, { severity: string; name: string; via: unknown[] }> };
+    try { report = JSON.parse(out); } catch { return []; }
+
+    const findings: Finding[] = [];
+    for (const [, vuln] of Object.entries(report.vulnerabilities ?? {})) {
+      if (vuln.severity !== 'critical' && vuln.severity !== 'high') continue;
+      findings.push({
+        id: `npm-audit:${vuln.name}`,
+        source: 'static-rules',
+        severity: vuln.severity === 'critical' ? 'critical' : 'warning',
+        category: 'npm-audit',
+        file: 'package.json',
+        message: `${vuln.severity.toUpperCase()} vulnerability in ${vuln.name}`,
+        suggestion: `Run: npm audit fix`,
+        protectedPath: false,
+        createdAt: new Date().toISOString(),
+      });
+    }
+    return findings;
+  },
+};

package/src/core/static-rules/rules/package-lock-sync.ts

@@ -0,0 +1,54 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+export const packageLockSyncRule: StaticRule = {
+  name: 'package-lock-sync',
+  severity: 'warning',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const cwd = process.cwd();
+    const hasPkg = touchedFiles.some(f => f === 'package.json');
+    const hasLock = touchedFiles.some(f => f === 'package-lock.json');
+
+    if (!hasPkg && !hasLock) return [];
+
+    const pkgExists = fs.existsSync(path.join(cwd, 'package.json'));
+    const lockExists = fs.existsSync(path.join(cwd, 'package-lock.json'));
+
+    if (!pkgExists) return [];
+
+    // package.json changed but lock didn't
+    if (hasPkg && !hasLock && lockExists) {
+      return [{
+        id: 'package-lock-sync:package.json',
+        source: 'static-rules',
+        severity: 'warning',
+        category: 'package-lock-sync',
+        file: 'package.json',
+        message: 'package.json changed but package-lock.json was not updated',
+        suggestion: 'Run npm install to sync the lockfile',
+        protectedPath: false,
+        createdAt: new Date().toISOString(),
+      }];
+    }
+
+    // lock changed but package.json didn't (unusual, flag it)
+    if (hasLock && !hasPkg) {
+      return [{
+        id: 'package-lock-sync:package-lock.json',
+        source: 'static-rules',
+        severity: 'warning',
+        category: 'package-lock-sync',
+        file: 'package-lock.json',
+        message: 'package-lock.json changed without a corresponding package.json change',
+        suggestion: 'Verify this is intentional — lockfile-only changes can indicate manual edits',
+        protectedPath: false,
+        createdAt: new Date().toISOString(),
+      }];
+    }
+
+    return [];
+  },
+};

package/src/core/static-rules/rules/todo-fixme.ts

@@ -0,0 +1,40 @@
+import * as fs from 'node:fs';
+import type { StaticRule } from '../../phases/static-rules.ts';
+import type { Finding } from '../../findings/types.ts';
+
+const TODO_PATTERN = /\b(TODO|FIXME|HACK|XXX)\b/;
+const SKIP_EXTS = new Set(['.lock', '.snap', '.png', '.jpg', '.svg', '.ico']);
+
+export const todoFixmeRule: StaticRule = {
+  name: 'todo-fixme',
+  severity: 'note',
+
+  async check(touchedFiles: string[]): Promise<Finding[]> {
+    const findings: Finding[] = [];
+    for (const file of touchedFiles) {
+      const ext = file.slice(file.lastIndexOf('.'));
+      if (SKIP_EXTS.has(ext)) continue;
+      let content: string;
+      try { content = fs.readFileSync(file, 'utf8'); } catch { continue; }
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const match = lines[i]!.match(TODO_PATTERN);
+        if (match) {
+          findings.push({
+            id: `todo-fixme:${file}:${i + 1}`,
+            source: 'static-rules',
+            severity: 'note',
+            category: 'todo-fixme',
+            file,
+            line: i + 1,
+            message: `${match[1]} comment in changed file`,
+            suggestion: 'Resolve before merging or track in an issue',
+            protectedPath: false,
+            createdAt: new Date().toISOString(),
+          });
+        }
+      }
+    }
+    return findings;
+  },
+};