@delegance/claude-autopilot 2.5.0 → 5.0.0-alpha.2

package/src/cli/detector.ts

@@ -34,6 +34,21 @@ function nodeTestCommand(cwd: string): string {
   return cmd;
 }
 
+// Detects Supabase signals beyond package.json deps — env vars, config files, or client
+// usage. Required because many Next.js projects reference Supabase via the CLI/SSR tooling
+// before installing the JS client.
+function hasSupabaseSignals(cwd: string, deps: Record<string, string>): boolean {
+  if ('@supabase/supabase-js' in deps) return true;
+  if ('@supabase/ssr' in deps) return true;
+  if ('@supabase/auth-helpers-nextjs' in deps) return true;
+  if (fs.existsSync(path.join(cwd, 'supabase', 'config.toml'))) return true;
+  for (const envFile of ['.env', '.env.local', '.env.development']) {
+    const p = path.join(cwd, envFile);
+    if (fs.existsSync(p) && fileContains(p, 'SUPABASE_')) return true;
+  }
+  return false;
+}
+
 export function detectProject(cwd: string): DetectionResult {
   if (fs.existsSync(path.join(cwd, 'go.mod'))) {
     return { preset: 'go', testCommand: 'go test ./...', confidence: 'high', evidence: 'found go.mod' };
@@ -63,14 +78,15 @@ export function detectProject(cwd: string): DetectionResult {
     if ('@trpc/server' in deps) {
       return { preset: 't3', testCommand: testCmd, confidence: 'high', evidence: 'found @trpc/server in package.json' };
     }
-    if ('next' in deps && '@supabase/supabase-js' in deps) {
-      return { preset: 'nextjs-supabase', testCommand: testCmd, confidence: 'high', evidence: 'found next + @supabase/supabase-js in package.json' };
+    if ('next' in deps && hasSupabaseSignals(cwd, deps)) {
+      return { preset: 'nextjs-supabase', testCommand: testCmd, confidence: 'high', evidence: 'found next + supabase signals (deps/env/config)' };
     }
     if ('next' in deps) {
-      return { preset: 'nextjs-supabase', testCommand: testCmd, confidence: 'low', evidence: 'found next in package.json (no supabase detected)' };
+      // Plain Next.js — fall through to generic rather than mislabel as nextjs-supabase.
+      return { preset: 'generic', testCommand: testCmd, confidence: 'low', evidence: 'found next in package.json but no Supabase signals — using generic preset (pass --preset nextjs-supabase if you do use Supabase)' };
     }
-    return { preset: 'nextjs-supabase', testCommand: testCmd, confidence: 'low', evidence: 'found package.json (no strong framework signals)' };
+    return { preset: 'generic', testCommand: testCmd, confidence: 'low', evidence: 'found package.json (no strong framework signals) — using generic preset' };
   }
 
-  return { preset: 'nextjs-supabase', testCommand: 'npm test', confidence: 'low', evidence: 'no project signals found — using default preset' };
+  return { preset: 'generic', testCommand: 'npm test', confidence: 'low', evidence: 'no project signals found — using generic preset' };
 }

package/src/cli/explain.ts

@@ -0,0 +1,197 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { loadCachedFindings } from '../core/persist/findings-cache.ts';
+import { loadConfig } from '../core/config/loader.ts';
+import { loadAdapter } from '../adapters/loader.ts';
+import type { Finding } from '../core/findings/types.ts';
+import type { ReviewEngine } from '../adapters/review-engine/types.ts';
+
+const C = {
+  reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
+  green: '\x1b[32m', yellow: '\x1b[33m', red: '\x1b[31m', cyan: '\x1b[36m',
+};
+const fmt = (c: keyof typeof C, t: string) => `${C[c]}${t}${C.reset}`;
+
+const CONTEXT_LINES = 30;
+
+const SECTION_ORDER = ['Root Cause', 'Risk', 'How to Fix', 'Example', 'When to Suppress'] as const;
+type SectionName = typeof SECTION_ORDER[number];
+
+export interface ExplainCommandOptions {
+  cwd?: string;
+  configPath?: string;
+  target?: string;   // "file:line" or finding index (1-based) or finding id
+  index?: number;    // 1-based index into cached findings
+}
+
+function pickFinding(findings: Finding[], target: string): Finding | null {
+  // Try "file:line" format
+  const colonIdx = target.lastIndexOf(':');
+  if (colonIdx > 0) {
+    const file = target.slice(0, colonIdx);
+    const line = parseInt(target.slice(colonIdx + 1), 10);
+    if (!isNaN(line)) {
+      const match = findings.find(f => f.file.endsWith(file) && f.line === line);
+      if (match) return match;
+    }
+  }
+  // Try numeric index (1-based)
+  const n = parseInt(target, 10);
+  if (!isNaN(n) && n >= 1 && n <= findings.length) return findings[n - 1]!;
+  // Try finding id prefix
+  const byId = findings.find(f => f.id.startsWith(target));
+  if (byId) return byId;
+  return null;
+}
+
+/** Parse LLM output into named sections by ## headers. */
+function parseSections(text: string): Map<string, string> {
+  const map = new Map<string, string>();
+  const parts = text.split(/^##\s+/m);
+  for (const part of parts) {
+    const newline = part.indexOf('\n');
+    if (newline < 0) continue;
+    const header = part.slice(0, newline).trim();
+    const body = part.slice(newline + 1).trim();
+    if (header && body) map.set(header, body);
+  }
+  return map;
+}
+
+function printSection(label: SectionName, body: string): void {
+  const icon: Record<SectionName, string> = {
+    'Root Cause':    '🔍',
+    'Risk':          '⚠️ ',
+    'How to Fix':    '🔧',
+    'Example':       '📝',
+    'When to Suppress': '✅',
+  };
+  console.log(`\n${fmt('bold', `${icon[label]}  ${label}`)}`);
+  console.log(fmt('dim', '─'.repeat(50)));
+  console.log(body);
+}
+
+export async function runExplain(options: ExplainCommandOptions = {}): Promise<number> {
+  const cwd = options.cwd ?? process.cwd();
+  const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
+
+  const findings = loadCachedFindings(cwd);
+  if (findings.length === 0) {
+    console.log(fmt('yellow', '[explain] No cached findings — run `guardrail run` or `guardrail scan` first.'));
+    return 0;
+  }
+
+  let finding: Finding | null = null;
+
+  if (options.target) {
+    finding = pickFinding(findings, options.target);
+    if (!finding) {
+      console.error(fmt('red', `[explain] No finding matching "${options.target}"`));
+      console.error(fmt('dim', '  Use file:line, finding index (1–' + findings.length + '), or rule id'));
+      return 1;
+    }
+  } else {
+    // No target — list findings and prompt
+    console.log(`\n${fmt('bold', '[guardrail explain]')} ${findings.length} cached finding${findings.length !== 1 ? 's' : ''}:\n`);
+    findings.forEach((f, i) => {
+      const sev = f.severity === 'critical' ? fmt('red', 'CRIT') : f.severity === 'warning' ? fmt('yellow', 'WARN') : fmt('dim', 'NOTE');
+      const loc = f.file !== '<unspecified>' ? fmt('dim', ` ${f.file}${f.line ? `:${f.line}` : ''}`) : '';
+      console.log(`  ${String(i + 1).padStart(2)}. [${sev}]${loc} ${f.message.slice(0, 70)}`);
+    });
+    console.log(fmt('dim', '\n  Run: guardrail explain <index|file:line|rule-id>\n'));
+    return 0;
+  }
+
+  // Load engine
+  let engine;
+  try {
+    const config = fs.existsSync(configPath) ? await loadConfig(configPath) : { configVersion: 1 as const };
+    const ref = typeof config.reviewEngine === 'string' ? config.reviewEngine
+      : (config.reviewEngine?.adapter ?? 'auto');
+    engine = await loadAdapter({ point: 'review-engine', ref,
+      options: typeof config.reviewEngine === 'object' ? config.reviewEngine.options : undefined });
+  } catch (err) {
+    console.error(fmt('red', `[explain] Could not load review engine: ${err instanceof Error ? err.message : String(err)}`));
+    return 1;
+  }
+
+  // Read file context
+  let codeContext = '';
+  if (finding.file && finding.file !== '<unspecified>' && finding.file !== '<pipeline>' && finding.line) {
+    const absPath = path.resolve(cwd, finding.file);
+    if (fs.existsSync(absPath)) {
+      const lines = fs.readFileSync(absPath, 'utf8').split('\n');
+      const lineIdx = finding.line - 1;
+      const start = Math.max(0, lineIdx - CONTEXT_LINES);
+      const end = Math.min(lines.length - 1, lineIdx + CONTEXT_LINES);
+      const numbered = lines.slice(start, end + 1).map((l, i) => {
+        const n = start + i + 1;
+        return `${n === finding!.line ? '>>>' : '   '} ${String(n).padStart(4)}: ${l}`;
+      }).join('\n');
+      codeContext = `\n\nRelevant code from ${finding.file} (>>> marks the finding):\n\`\`\`\n${numbered}\n\`\`\``;
+    }
+  }
+
+  const prompt = [
+    `I need a structured explanation of this code finding:`,
+    ``,
+    `Rule:     ${finding.id}`,
+    `Severity: ${finding.severity.toUpperCase()}`,
+    `File:     ${finding.file}${finding.line ? `:${finding.line}` : ''}`,
+    `Message:  ${finding.message}`,
+    finding.suggestion ? `Suggestion: ${finding.suggestion}` : '',
+    codeContext,
+    ``,
+    `Respond using EXACTLY these five section headers (no other headers):`,
+    ``,
+    `## Root Cause`,
+    `[technical explanation of why this problem exists]`,
+    ``,
+    `## Risk`,
+    `[real-world impact, exploitability, and severity rationale]`,
+    ``,
+    `## How to Fix`,
+    `[concrete, code-level remediation steps]`,
+    ``,
+    `## Example`,
+    `[before/after code snippet showing the fix, in a fenced code block]`,
+    ``,
+    `## When to Suppress`,
+    `[legitimate cases where this finding can be safely ignored]`,
+  ].filter(s => s !== undefined && s !== null).join('\n');
+
+  const sev = finding.severity === 'critical' ? fmt('red', 'CRITICAL')
+    : finding.severity === 'warning' ? fmt('yellow', 'WARNING') : fmt('dim', 'NOTE');
+
+  console.log(`\n${fmt('bold', '[guardrail explain]')}`);
+  console.log(`  [${sev}] ${fmt('dim', `${finding.file}${finding.line ? `:${finding.line}` : ''}`)} — ${finding.message}`);
+  if (finding.suggestion) console.log(`  ${fmt('dim', `→ ${finding.suggestion}`)}`);
+  console.log('');
+
+  try {
+    const output = await (engine as unknown as ReviewEngine).review({ content: prompt, kind: 'file-batch' });
+    const text = output.rawOutput.trim();
+    const sections = parseSections(text);
+
+    let printed = false;
+    for (const label of SECTION_ORDER) {
+      const body = sections.get(label);
+      if (body) {
+        printSection(label, body);
+        printed = true;
+      }
+    }
+
+    if (!printed) {
+      // LLM didn't follow the structure — print raw
+      console.log(text);
+    }
+
+    console.log('');
+  } catch (err) {
+    console.error(fmt('red', `[explain] LLM error: ${err instanceof Error ? err.message : String(err)}`));
+    return 1;
+  }
+
+  return 0;
+}

package/src/cli/fix.ts

@@ -1,10 +1,14 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
+import * as readline from 'node:readline';
+import { execSync } from 'node:child_process';
 import { loadCachedFindings } from '../core/persist/findings-cache.ts';
 import { loadConfig } from '../core/config/loader.ts';
 import { loadAdapter } from '../adapters/loader.ts';
 import type { ReviewEngine } from '../adapters/review-engine/types.ts';
 import type { Finding } from '../core/findings/types.ts';
+import type { GuardrailConfig } from '../core/config/types.ts';
+import { generateFix, buildUnifiedDiff, type GenerateResult } from '../core/fix/generator.ts';
 
 const C = {
   reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
@@ -12,36 +16,48 @@ const C = {
 };
 const fmt = (c: keyof typeof C, t: string) => `${C[c]}${t}${C.reset}`;
 
-const CONTEXT_LINES = 20; // lines of file context to send on each side of the finding
-
 export interface FixCommandOptions {
   cwd?: string;
   configPath?: string;
-  severity?: 'critical' | 'warning' | 'all'; // which findings to fix (default: critical)
+  severity?: 'critical' | 'warning' | 'all';
   dryRun?: boolean;
+  yes?: boolean;      // skip per-fix confirmation prompts
+  noVerify?: boolean; // skip test verification after applying fix
 }
 
 interface FixResult {
   file: string;
   line: number;
   findingMessage: string;
-  status: 'fixed' | 'skipped' | 'failed';
+  status: 'fixed' | 'skipped' | 'rejected' | 'failed';
   reason?: string;
 }
 
+async function confirmFix(diff: string, finding: Finding): Promise<'yes' | 'no' | 'quit'> {
+  console.log('');
+  console.log(diff);
+  console.log('');
+
+  const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise(resolve => {
+    rl.question(fmt('bold', '  Apply this fix? [y]es / [n]o / [q]uit  '), answer => {
+      rl.close();
+      const a = answer.trim().toLowerCase();
+      if (a === 'q') resolve('quit');
+      else if (a === 'y' || a === '') resolve('yes');
+      else resolve('no');
+    });
+  });
+}
+
 export async function runFix(options: FixCommandOptions = {}): Promise<number> {
   const cwd = options.cwd ?? process.cwd();
-  const configPath = options.configPath ?? path.join(cwd, 'autopilot.config.yaml');
+  const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
   const severityFilter = options.severity ?? 'critical';
 
-  if (!fs.existsSync(configPath)) {
-    console.error(fmt('red', `[fix] autopilot.config.yaml not found at ${configPath}`));
-    return 1;
-  }
-
   const findings = loadCachedFindings(cwd);
   if (findings.length === 0) {
-    console.log(fmt('yellow', '[fix] No cached findings — run `autopilot run` first.'));
+    console.log(fmt('yellow', '[fix] No cached findings — run `guardrail scan <path>` or `guardrail run` first.'));
     return 0;
   }
 
@@ -57,131 +73,177 @@ export async function runFix(options: FixCommandOptions = {}): Promise<number> {
     return 0;
   }
 
-  console.log(`\n${fmt('bold', '[autopilot fix]')} ${fixable.length} finding${fixable.length !== 1 ? 's' : ''} to attempt\n`);
+  const modeNote = options.dryRun ? ' (dry run)' : options.yes ? '' : ' (interactive — use --yes to skip prompts)';
+  console.log(`\n${fmt('bold', '[guardrail fix]')} ${fixable.length} finding${fixable.length !== 1 ? 's' : ''} to attempt${modeNote}\n`);
 
-  // Load review engine
+  // Print upfront summary of all fixable findings before prompting
+  for (const f of fixable) {
+    const sev = f.severity === 'critical' ? fmt('red', 'CRITICAL') : fmt('yellow', 'WARNING ');
+    const loc = fmt('dim', `${f.file}:${f.line}`);
+    console.log(`  [${sev}] ${loc} ${f.message}`);
+    if (f.suggestion) console.log(fmt('dim', `           → ${f.suggestion}`));
+  }
+  console.log('');
+
+  // Dry-run: listing the findings is sufficient — no LLM needed
+  if (options.dryRun) {
+    console.log(fmt('yellow', `[fix] Dry run — ${fixable.length} finding${fixable.length !== 1 ? 's' : ''} listed above, no files modified.\n`));
+    return 0;
+  }
+
+  // Load config + review engine (config optional — defaults to auto adapter)
   let engine: ReviewEngine;
+  let loadedConfig: GuardrailConfig | null = null;
   try {
-    const config = await loadConfig(configPath);
-    const ref = typeof config.reviewEngine === 'string' ? config.reviewEngine
-      : (config.reviewEngine?.adapter ?? 'auto');
+    loadedConfig = fs.existsSync(configPath) ? await loadConfig(configPath) : null;
+    const ref = loadedConfig
+      ? (typeof loadedConfig.reviewEngine === 'string' ? loadedConfig.reviewEngine : (loadedConfig.reviewEngine?.adapter ?? 'auto'))
+      : 'auto';
     engine = await loadAdapter<ReviewEngine>({
       point: 'review-engine',
       ref,
-      options: typeof config.reviewEngine === 'object' ? config.reviewEngine.options : undefined,
+      options: loadedConfig && typeof loadedConfig.reviewEngine === 'object' ? loadedConfig.reviewEngine.options : undefined,
     });
   } catch (err) {
     console.error(fmt('red', `[fix] Could not load review engine: ${err instanceof Error ? err.message : String(err)}`));
     return 1;
   }
 
+  const testCommand = loadedConfig?.testCommand ?? null;
+  const shouldVerify = !options.noVerify && !!testCommand;
+  if (shouldVerify) {
+    console.log(fmt('dim', `[fix] Verified mode — running "${testCommand}" after each fix\n`));
+  }
+
   const results: FixResult[] = [];
+  let quit = false;
 
   for (const finding of fixable) {
-    const result = await attemptFix(finding, engine, cwd, options.dryRun ?? false);
-    results.push(result);
-    const icon = result.status === 'fixed' ? fmt('green', '✓')
-               : result.status === 'skipped' ? fmt('dim', '–')
-               : fmt('red', '✗');
-    const loc = `${result.file}:${result.line}`;
-    console.log(`  ${icon}  ${loc.padEnd(40)} ${result.findingMessage.slice(0, 60)}`);
-    if (result.reason) console.log(fmt('dim', `       ${result.reason}`));
+    if (quit) {
+      results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'skipped', reason: 'user quit' });
+      continue;
+    }
+
+    const sev = finding.severity === 'critical' ? fmt('red', 'CRITICAL') : fmt('yellow', 'WARNING');
+    console.log(`\n  [${sev}] ${fmt('dim', `${finding.file}:${finding.line}`)} ${finding.message}`);
+
+    const result = await generateFix(finding, engine, cwd);
+
+    if (result.status === 'cannot_fix') {
+      console.log(fmt('dim', `    → skipped: ${result.reason}`));
+      results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'skipped', reason: result.reason });
+      continue;
+    }
+
+    if (result.status === 'rejected') {
+      console.log(fmt('yellow', `    → rejected: ${result.reason}`));
+      results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'rejected', reason: result.reason });
+      continue;
+    }
+
+    if (result.status === 'error') {
+      console.log(fmt('red', `    → error: ${result.reason}`));
+      results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'failed', reason: result.reason });
+      continue;
+    }
+
+    // Show diff
+    const diff = buildUnifiedDiff(result.originalLines!, result.replacementLines!, finding.file, result.startLine!);
+
+    if (options.dryRun) {
+      console.log('');
+      console.log(diff);
+      console.log(fmt('dim', '    (dry run — not applied)'));
+      results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'skipped', reason: 'dry run' });
+      continue;
+    }
+
+    // Interactive confirmation (unless --yes)
+    if (!options.yes) {
+      const answer = await confirmFix(diff, finding);
+      if (answer === 'quit') {
+        quit = true;
+        results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'skipped', reason: 'user quit' });
+        continue;
+      }
+      if (answer === 'no') {
+        results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'skipped', reason: 'user declined' });
+        continue;
+      }
+    } else {
+      // --yes mode: still print the diff so there's a record
+      console.log('');
+      console.log(diff);
+    }
+
+    // Apply fix atomically
+    try {
+      const absPath = path.resolve(cwd, finding.file);
+      const originalContent = fs.readFileSync(absPath, 'utf8');
+      const allLines = originalContent.split('\n');
+      const newLines = [
+        ...allLines.slice(0, result.startLine! - 1),
+        ...result.replacementLines!,
+        ...allLines.slice(result.endLine!),
+      ];
+      const tmp = absPath + '.guardrail.tmp';
+      fs.writeFileSync(tmp, newLines.join('\n'), 'utf8');
+      fs.renameSync(tmp, absPath);
+
+      if (shouldVerify) {
+        // Verified mode — same shell invocation pattern as phases/tests.ts
+        console.log(fmt('dim', `    ↻ verifying…`));
+        const passed = runTestCommand(testCommand!, cwd);
+        if (passed) {
+          console.log(fmt('green', `    ✓ applied + tests pass`));
+          results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'fixed' });
+        } else {
+          fs.writeFileSync(absPath, originalContent, 'utf8');
+          console.log(fmt('yellow', `    ⚠ reverted — tests failed after fix`));
+          results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'rejected', reason: 'tests failed after fix — reverted' });
+        }
+      } else {
+        console.log(fmt('green', `    ✓ applied`));
+        results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'fixed' });
+      }
+    } catch (err) {
+      console.log(fmt('red', `    ✗ write failed: ${err instanceof Error ? err.message : String(err)}`));
+      results.push({ file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'failed', reason: String(err) });
+    }
   }
 
-  const fixed = results.filter(r => r.status === 'fixed').length;
-  const failed = results.filter(r => r.status === 'failed').length;
+  const fixed    = results.filter(r => r.status === 'fixed').length;
+  const rejected = results.filter(r => r.status === 'rejected').length;
+  const failed   = results.filter(r => r.status === 'failed').length;
+  const skipped  = results.filter(r => r.status === 'skipped').length;
+
   console.log('');
   if (options.dryRun) {
-    console.log(fmt('yellow', `[fix] Dry run — no files modified. ${fixable.length} finding${fixable.length !== 1 ? 's' : ''} would be attempted.\n`));
+    console.log(fmt('yellow', `[fix] Dry run complete — ${fixable.length} finding${fixable.length !== 1 ? 's' : ''} previewed, no files modified.\n`));
   } else {
-    console.log(fmt('green', `[fix] ${fixed} fixed`) + fmt('dim', `, ${failed} failed, ${results.length - fixed - failed} skipped\n`));
+    const parts = [
+      fixed   > 0 ? fmt('green',  `${fixed} fixed`)    : null,
+      rejected > 0 ? fmt('yellow', `${rejected} rejected`) : null,
+      failed  > 0 ? fmt('red',    `${failed} failed`)   : null,
+      skipped > 0 ? fmt('dim',    `${skipped} skipped`)  : null,
+    ].filter(Boolean).join(fmt('dim', ' · '));
+    console.log(`[fix] ${parts}\n`);
   }
+
   return failed > 0 ? 1 : 0;
 }
 
-async function attemptFix(
-  finding: Finding,
-  engine: ReviewEngine,
-  cwd: string,
-  dryRun: boolean,
-): Promise<FixResult> {
-  const base: FixResult = { file: finding.file, line: finding.line!, findingMessage: finding.message, status: 'skipped' };
-
-  const absPath = path.resolve(cwd, finding.file);
-  let fileContent: string;
+function runTestCommand(cmd: string, cwd: string): boolean {
   try {
-    fileContent = fs.readFileSync(absPath, 'utf8');
+    execSync(cmd, {
+      cwd,
+      stdio: 'ignore',
+      timeout: 120000,
+      shell: process.env.SHELL ?? '/bin/sh',
+    });
+    return true;
   } catch {
-    return { ...base, status: 'skipped', reason: 'file not readable' };
-  }
-
-  const lines = fileContent.split('\n');
-  const lineIdx = finding.line! - 1;
-  if (lineIdx < 0 || lineIdx >= lines.length) {
-    return { ...base, status: 'skipped', reason: 'line out of range' };
-  }
-
-  const startIdx = Math.max(0, lineIdx - CONTEXT_LINES);
-  const endIdx = Math.min(lines.length - 1, lineIdx + CONTEXT_LINES);
-  const contextLines = lines.slice(startIdx, endIdx + 1);
-  const startLine = startIdx + 1;
-
-  const numbered = contextLines.map((l, i) => {
-    const n = startLine + i;
-    const marker = n === finding.line ? '>>>' : '   ';
-    return `${marker} ${String(n).padStart(4)}: ${l}`;
-  }).join('\n');
-
-  const prompt = [
-    `File: ${finding.file}`,
-    `Finding (line ${finding.line}): [${finding.severity.toUpperCase()}] ${finding.message}`,
-    finding.suggestion ? `Suggestion: ${finding.suggestion}` : '',
-    '',
-    'Here are the relevant lines (>>> marks the finding):',
-    '```',
-    numbered,
-    '```',
-    '',
-    `Rewrite ONLY lines ${startLine}–${endIdx + 1} to fix this finding.`,
-    'Rules:',
-    '- Output ONLY the replacement lines, no explanation, no markdown fences',
-    '- Preserve indentation and line count as much as possible',
-    '- Make the minimal change needed to fix the finding',
-    '- If the fix cannot be done safely in this context, output exactly: CANNOT_FIX',
-  ].filter(Boolean).join('\n');
-
-  let rawOutput: string;
-  try {
-    const output = await engine.review({ content: prompt, kind: 'file-batch' });
-    rawOutput = output.rawOutput.trim();
-  } catch (err) {
-    return { ...base, status: 'failed', reason: `LLM error: ${err instanceof Error ? err.message : String(err)}` };
-  }
-
-  if (rawOutput === 'CANNOT_FIX' || rawOutput.includes('CANNOT_FIX')) {
-    return { ...base, status: 'skipped', reason: 'LLM: cannot fix safely' };
+    return false;
   }
-
-  // Strip markdown fences if the model added them despite instructions
-  const cleaned = rawOutput.replace(/^```[a-z]*\n?/m, '').replace(/\n?```$/m, '').trimEnd();
-  const replacementLines = cleaned.split('\n');
-
-  if (dryRun) {
-    return { ...base, status: 'fixed', reason: `(dry run) would replace lines ${startLine}–${endIdx + 1}` };
-  }
-
-  // Splice replacement into file
-  const newLines = [
-    ...lines.slice(0, startIdx),
-    ...replacementLines,
-    ...lines.slice(endIdx + 1),
-  ];
-
-  try {
-    fs.writeFileSync(absPath, newLines.join('\n'), 'utf8');
-  } catch (err) {
-    return { ...base, status: 'failed', reason: `write error: ${err instanceof Error ? err.message : String(err)}` };
-  }
-
-  return { ...base, status: 'fixed' };
 }
+