@delegance/claude-autopilot 2.5.0 → 5.0.0-alpha.2

package/src/cli/run.ts

@@ -25,23 +25,37 @@ import { loadRulesFromConfig } from '../core/static-rules/registry.ts';
 import { resolvePreset } from '../core/config/preset-resolver.ts';
 import { mergeConfigs } from '../core/config/preset-resolver.ts';
 import { loadAdapter } from '../adapters/loader.ts';
-import { runAutopilot } from '../core/pipeline/run.ts';
+import { runGuardrail } from '../core/pipeline/run.ts';
 import { resolveGitTouchedFiles } from '../core/git/touched-files.ts';
 import type { RunInput } from '../core/pipeline/run.ts';
 import type { ReviewEngine } from '../adapters/review-engine/types.ts';
-import type { AutopilotConfig } from '../core/config/types.ts';
+import type { GuardrailConfig } from '../core/config/types.ts';
 import { fileURLToPath } from 'node:url';
 import { toSarif } from '../formatters/sarif.ts';
+import { toJUnit } from '../formatters/junit.ts';
+import { loadTriage, filterTriaged } from '../core/persist/triage.ts';
 import { emitAnnotations } from '../formatters/github-annotations.ts';
 import { detectStack } from '../core/detect/stack.ts';
 import { detectProtectedPaths } from '../core/detect/protected-paths.ts';
 import { detectGitContext } from '../core/detect/git-context.ts';
+import { detectWorkspaces, mapFilesToWorkspaces } from '../core/detect/workspaces.ts';
 import { detectProject } from './detector.ts';
 import { detectPrNumber, formatComment, postPrComment } from './pr-comment.ts';
 import { postReviewComments } from './pr-review-comments.ts';
 import { loadIgnoreRules, parseConfigIgnore, applyIgnoreRules } from '../core/ignore/index.ts';
+import { detectLLMKey, LLM_KEY_HINTS } from '../core/detect/llm-key.ts';
 import { loadCachedFindings, saveCachedFindings, filterNewFindings } from '../core/persist/findings-cache.ts';
+import { loadBaseline, filterBaselined } from '../core/persist/baseline.ts';
 import { appendCostLog } from '../core/persist/cost-log.ts';
+import { postCommitStatus, resolveCommitSha } from '../adapters/vcs-host/commit-status.ts';
+
+function computeExitCode(findings: { severity: string }[], failOn: string): number {
+  if (failOn === 'none') return 0;
+  const fail = failOn === 'warning' ? ['critical', 'warning']
+    : failOn === 'note' ? ['critical', 'warning', 'note']
+    : ['critical'];
+  return findings.some(f => fail.includes(f.severity)) ? 1 : 0;
+}
 
 function readToolVersion(): string {
   const pkgPath = path.join(path.dirname(fileURLToPath(import.meta.url)), '../../package.json');
@@ -70,10 +84,13 @@ export interface RunCommandOptions {
   dryRun?: boolean;     // skip review, print what would run
   diff?: boolean;           // use diff strategy (send git hunks instead of full files)
   delta?: boolean;          // only report findings not present in last run's baseline
+  newOnly?: boolean;        // only report findings not in committed .guardrail-baseline.json
+  failOn?: 'critical' | 'warning' | 'note' | 'none'; // severity threshold for exit 1
   inlineComments?: boolean; // post per-line review comments on the PR diff
-  format?: 'text' | 'sarif';
+  format?: 'text' | 'sarif' | 'junit';
   outputPath?: string;
   postComments?: boolean; // post/update summary comment on the open PR
+  skipReview?: boolean;  // skip tests and review phases (static rules only)
 }
 
 /**
@@ -82,27 +99,26 @@ export interface RunCommandOptions {
  */
 export async function runCommand(options: RunCommandOptions = {}): Promise<number> {
   const cwd = options.cwd ?? process.cwd();
-  const configPath = options.configPath ?? path.join(cwd, 'autopilot.config.yaml');
+  const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
 
+  // Load + merge config (graceful zero-config fallback)
+  let config: GuardrailConfig;
   if (!fs.existsSync(configPath)) {
-    console.error(fmt('red', `[run] autopilot.config.yaml not found at ${configPath}`));
-    console.error(fmt('dim', '      Run: npx autopilot init'));
-    return 1;
-  }
-
-  // Load + merge config
-  let config: AutopilotConfig;
-  try {
-    const userConfig = await loadConfig(configPath);
-    if (userConfig.preset) {
-      const preset = await resolvePreset(userConfig.preset);
-      config = mergeConfigs(preset.config, userConfig);
-    } else {
-      config = userConfig;
+    console.log(fmt('dim', `[run] No guardrail.config.yaml found — using defaults. Run \`npx guardrail setup\` to configure.`));
+    config = { configVersion: 1, reviewEngine: { adapter: 'auto' }, testCommand: null };
+  } else {
+    try {
+      const userConfig = await loadConfig(configPath);
+      if (userConfig.preset) {
+        const preset = await resolvePreset(userConfig.preset);
+        config = mergeConfigs(preset.config, userConfig);
+      } else {
+        config = userConfig;
+      }
+    } catch (err) {
+      console.error(fmt('red', `[run] Config error: ${err instanceof Error ? err.message : String(err)}`));
+      return 1;
     }
-  } catch (err) {
-    console.error(fmt('red', `[run] Config error: ${err instanceof Error ? err.message : String(err)}`));
-    return 1;
   }
 
   // Fill in missing config fields from auto-detection (track what was auto-detected for logging)
@@ -124,6 +140,13 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     config = { ...config, testCommand: detected };
     autoDetected.push(`test: ${detected}`);
   }
+
+  // Monorepo workspace detection
+  const workspaces = detectWorkspaces(cwd);
+  if (workspaces && workspaces.length > 0) {
+    autoDetected.push(`workspaces: ${workspaces.length} (${workspaces.map(w => w.name).slice(0, 3).join(', ')}${workspaces.length > 3 ? ` +${workspaces.length - 3} more` : ''})`);
+  }
+
   const gitCtx = detectGitContext(cwd);
 
   // Resolve touched files
@@ -134,7 +157,7 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     return 0;
   }
 
-  console.log(`\n${fmt('bold', '[autopilot run]')} ${fmt('dim', configPath)}`);
+  console.log(`\n${fmt('bold', '[guardrail run]')} ${fmt('dim', configPath)}`);
   console.log(`${fmt('dim', `  ${touchedFiles.length} changed file(s):`)} ${touchedFiles.slice(0, 5).join(', ')}${touchedFiles.length > 5 ? ` … +${touchedFiles.length - 5} more` : ''}`);
   if (gitCtx.summary) {
     console.log(fmt('dim', `  ${gitCtx.summary}`));
@@ -152,10 +175,13 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
   let reviewEngine: ReviewEngine | undefined;
   if (config.reviewEngine) {
     const ref = typeof config.reviewEngine === 'string' ? config.reviewEngine : config.reviewEngine.adapter;
-    const hasAnyKey = !!(process.env.ANTHROPIC_API_KEY || process.env.GEMINI_API_KEY ||
-      process.env.GOOGLE_API_KEY || process.env.OPENAI_API_KEY || process.env.GROQ_API_KEY);
-    if (!hasAnyKey && ['auto', 'claude', 'gemini', 'codex', 'openai-compatible'].includes(ref)) {
-      console.log(fmt('yellow', '\n  [run] No LLM API key found — set ANTHROPIC_API_KEY, GEMINI_API_KEY, OPENAI_API_KEY, or GROQ_API_KEY to enable review'));
+    if (!detectLLMKey().hasKey && ['auto', 'claude', 'gemini', 'codex', 'openai-compatible'].includes(ref)) {
+      console.log(fmt('yellow', '\n  [run] No LLM API key — set one of:'));
+      for (const { name, url, note } of LLM_KEY_HINTS) {
+        const suffix = note ? `  (${note})` : '';
+        console.log(fmt('dim', `         ${name.padEnd(18)} ${url}${suffix}`));
+      }
+      console.log('');
     } else {
       try {
         reviewEngine = await loadAdapter<ReviewEngine>({
@@ -179,6 +205,18 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     config = { ...config, reviewStrategy: 'diff' };
   }
 
+  // Pre-run cost estimate
+  if (config.cost?.estimateBeforeRun) {
+    const totalChars = touchedFiles.reduce((sum, f) => {
+      try { return sum + fs.statSync(f).size; } catch { return sum; }
+    }, 0);
+    const estTokens = Math.round(totalChars / 4);
+    const estCost = estTokens / 1_000_000 * 3.0; // rough: $3/M tokens (Sonnet)
+    const cap = config.cost?.maxPerRun;
+    console.log(fmt('dim', `  [run] estimated: ~${estTokens.toLocaleString()} tokens, ~$${estCost.toFixed(4)}`
+      + (cap ? ` (cap: $${cap})` : '')));
+  }
+
   // Execute pipeline
   const input: RunInput = {
     touchedFiles,
@@ -188,12 +226,19 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     cwd,
     gitSummary: gitCtx.summary ?? undefined,
     base: options.base,
+    skipReview: options.skipReview,
   };
 
+  // Post pending commit status (best-effort — never fatal)
+  const commitSha = resolveCommitSha(cwd);
+  if (commitSha) {
+    postCommitStatus({ sha: commitSha, state: 'pending', description: `Reviewing ${touchedFiles.length} file(s)…`, cwd });
+  }
+
   console.log('');
-  const result = await runAutopilot(input);
+  const result = await runGuardrail(input);
 
-  // Apply .autopilot-ignore + config ignore: rules
+  // Apply .guardrail-ignore + config ignore: rules
   const ignoreRules = [...loadIgnoreRules(cwd), ...parseConfigIgnore(config.ignore)];
   if (ignoreRules.length > 0) {
     const before = result.allFindings.length;
@@ -203,11 +248,11 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     }
     const suppressed = before - result.allFindings.length;
     if (suppressed > 0) {
-      console.log(fmt('dim', `  [run] ${suppressed} finding${suppressed !== 1 ? 's' : ''} suppressed by .autopilot-ignore`));
+      console.log(fmt('dim', `  [run] ${suppressed} finding${suppressed !== 1 ? 's' : ''} suppressed by .guardrail-ignore`));
     }
   }
 
-  // Delta mode: filter to only new findings vs last run's baseline, then persist
+  // Delta mode: filter to only new findings vs last run's cache, then persist
   if (options.delta) {
     const cached = loadCachedFindings(cwd);
     const before = result.allFindings.length;
@@ -220,7 +265,41 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
       console.log(fmt('dim', `  [run] ${existing} pre-existing finding${existing !== 1 ? 's' : ''} hidden (--delta mode)`));
     }
   }
-  // Always persist the unfiltered findings as the new baseline
+
+  // --new-only / policy.newOnly: filter against committed .guardrail-baseline.json
+  const policy = config.policy ?? {};
+  const newOnly = options.newOnly ?? policy.newOnly ?? false;
+  if (newOnly) {
+    const baseline = loadBaseline(cwd, policy.baselinePath);
+    if (baseline) {
+      const { newFindings, baselinedCount } = filterBaselined(result.allFindings, baseline);
+      result.allFindings = newFindings;
+      for (const phase of result.phases) {
+        phase.findings = filterBaselined(phase.findings, baseline).newFindings;
+      }
+      if (baselinedCount > 0) {
+        console.log(fmt('dim', `  [run] ${baselinedCount} baselined finding${baselinedCount !== 1 ? 's' : ''} suppressed (--new-only)`));
+      }
+    } else {
+      console.log(fmt('yellow', '  [run] --new-only: no .guardrail-baseline.json found — showing all findings'));
+      console.log(fmt('dim',    '         Run `guardrail baseline create` after first scan to pin the baseline'));
+    }
+  }
+
+  // Triage filter: suppress accepted-risk / false-positive findings
+  const triageStore = loadTriage(cwd);
+  if (triageStore.entries.length > 0) {
+    const { active, triageCount } = filterTriaged(result.allFindings, triageStore);
+    if (triageCount > 0) {
+      result.allFindings = active;
+      for (const phase of result.phases) {
+        phase.findings = filterTriaged(phase.findings, triageStore).active;
+      }
+      console.log(fmt('dim', `  [run] ${triageCount} triaged finding${triageCount !== 1 ? 's' : ''} suppressed (accepted-risk / false-positive)`));
+    }
+  }
+
+  // Always persist the unfiltered findings as the run cache
   saveCachedFindings(cwd, result.allFindings);
 
   // Append to per-run cost log
@@ -245,6 +324,14 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     console.log(fmt('dim', `[run] SARIF written to ${options.outputPath}`));
   }
 
+  // Write JUnit XML output if requested
+  if (options.format === 'junit' && options.outputPath) {
+    const junit = toJUnit(result);
+    fs.mkdirSync(path.dirname(path.resolve(options.outputPath)), { recursive: true });
+    fs.writeFileSync(options.outputPath, junit, 'utf8');
+    console.log(fmt('dim', `[run] JUnit XML written to ${options.outputPath}`));
+  }
+
   // Post inline PR review comments if requested
   if (options.inlineComments) {
     const pr = detectPrNumber(cwd);
@@ -304,16 +391,33 @@ export async function runCommand(options: RunCommandOptions = {}): Promise<numbe
     console.log(`\n  ${fmt('dim', `${result.durationMs}ms total`)}`);
   }
 
-  // Final verdict
+  // Post final commit status
+  if (commitSha) {
+    const critical = result.allFindings.filter(f => f.severity === 'critical').length;
+    const warnings = result.allFindings.filter(f => f.severity === 'warning').length;
+    const state = result.status === 'fail' ? 'failure' : 'success';
+    const desc = result.status === 'pass'
+      ? 'All checks passed'
+      : result.status === 'warn'
+        ? `Passed with ${warnings} warning${warnings !== 1 ? 's' : ''}`
+        : `${critical} critical finding${critical !== 1 ? 's' : ''}`;
+    postCommitStatus({ sha: commitSha, state, description: desc, cwd });
+  }
+
+  // Final verdict — apply policy.failOn threshold
+  const failOn = options.failOn ?? policy.failOn ?? 'critical';
+  const exitCode = computeExitCode(result.allFindings, failOn);
+
   console.log('');
-  if (result.status === 'pass') {
+  if (exitCode === 0 && result.status !== 'pass') {
+    const reason = failOn === 'none' ? ' (policy: fail-on=none)' : ` (policy: fail-on=${failOn})`;
+    console.log(fmt('yellow', `[run] ! Passed with findings${reason}\n`));
+  } else if (result.status === 'pass') {
     console.log(fmt('green', '[run] ✓ All phases passed\n'));
-    return 0;
   } else if (result.status === 'warn') {
     console.log(fmt('yellow', '[run] ! Passed with warnings\n'));
-    return 0;
   } else {
     console.log(fmt('red', '[run] ✗ Pipeline failed — see findings above\n'));
-    return 1;
   }
+  return exitCode;
 }

package/src/cli/scan.ts

@@ -0,0 +1,233 @@
+import * as path from 'node:path';
+import * as fs from 'node:fs';
+import { loadConfig } from '../core/config/loader.ts';
+import { loadAdapter } from '../adapters/loader.ts';
+import type { ReviewEngine } from '../adapters/review-engine/types.ts';
+import { runReviewPhase } from '../core/pipeline/review-phase.ts';
+import { detectStack } from '../core/detect/stack.ts';
+import { loadIgnoreRules, parseConfigIgnore, applyIgnoreRules } from '../core/ignore/index.ts';
+import { saveCachedFindings } from '../core/persist/findings-cache.ts';
+import type { GuardrailConfig } from '../core/config/types.ts';
+import { detectLLMKey, LLM_KEY_HINTS } from '../core/detect/llm-key.ts';
+
+const C = {
+  reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
+  green: '\x1b[32m', yellow: '\x1b[33m', red: '\x1b[31m', cyan: '\x1b[36m',
+};
+const fmt = (c: keyof typeof C, t: string) => `${C[c]}${t}${C.reset}`;
+
+const IGNORED_DIRS = new Set([
+  'node_modules', '.git', 'dist', 'build', '.next', '.nuxt', 'coverage',
+  '.guardrail-cache', '.autopilot', '__pycache__', '.venv', 'vendor',
+]);
+
+const CODE_EXTS = new Set([
+  '.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs',
+  '.py', '.go', '.rb', '.rs', '.java', '.kt', '.swift',
+  '.c', '.cpp', '.h', '.cs', '.php',
+  '.sql', '.sh', '.bash', '.yaml', '.yml', '.json', '.toml',
+]);
+
+function collectFiles(target: string, cwd: string): string[] {
+  const abs = path.isAbsolute(target) ? target : path.resolve(cwd, target);
+  if (!fs.existsSync(abs)) return [];
+
+  const stat = fs.statSync(abs);
+  if (stat.isFile()) return [abs];
+
+  const results: string[] = [];
+  function walk(dir: string) {
+    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+      if (IGNORED_DIRS.has(entry.name)) continue;
+      const full = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        walk(full);
+      } else if (entry.isFile() && CODE_EXTS.has(path.extname(entry.name))) {
+        results.push(full);
+      }
+    }
+  }
+  walk(abs);
+  return results;
+}
+
+function collectAllFiles(cwd: string): string[] {
+  return collectFiles(cwd, cwd);
+}
+
+export interface ScanCommandOptions {
+  cwd?: string;
+  configPath?: string;
+  targets?: string[];   // explicit paths/dirs to scan
+  all?: boolean;        // scan entire codebase
+  ask?: string;         // targeted question to inject into review prompt
+  focus?: 'security' | 'logic' | 'performance' | 'brand' | 'all';
+  dryRun?: boolean;
+}
+
+export async function runScan(options: ScanCommandOptions = {}): Promise<number> {
+  const cwd = options.cwd ?? process.cwd();
+  const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
+
+  let config: GuardrailConfig = { configVersion: 1 };
+  if (fs.existsSync(configPath)) {
+    const loaded = await loadConfig(configPath);
+    if (loaded) config = loaded;
+  }
+
+  // Collect files
+  let files: string[];
+  if (options.all) {
+    files = collectAllFiles(cwd);
+  } else if (options.targets && options.targets.length > 0) {
+    files = options.targets.flatMap(t => collectFiles(t, cwd));
+  } else {
+    console.error(fmt('red', '[scan] Specify a path, --all, or use `guardrail run` for git-changed files'));
+    console.error(fmt('dim', '  Examples:'));
+    console.error(fmt('dim', '    guardrail scan src/auth/'));
+    console.error(fmt('dim', '    guardrail scan --all'));
+    console.error(fmt('dim', '    guardrail scan --ask "is there SQL injection?" src/db/'));
+    return 1;
+  }
+
+  // Deduplicate
+  files = [...new Set(files)];
+
+  if (files.length === 0) {
+    console.log(fmt('yellow', '[scan] No code files found at the specified path(s)'));
+    return 0;
+  }
+
+  if (options.dryRun) {
+    console.log(fmt('bold', `[scan] Would scan ${files.length} file(s):`));
+    for (const f of files) console.log(fmt('dim', `  ${path.relative(cwd, f)}`));
+    return 0;
+  }
+
+  // Auto-detect stack if not in config
+  if (!config.stack) {
+    config = { ...config, stack: detectStack(cwd) ?? undefined };
+  }
+
+  // Build review engine
+  if (!detectLLMKey().hasKey) {
+    console.error(fmt('red', '[scan] No LLM API key — set one of:'));
+    for (const { name, url, note } of LLM_KEY_HINTS) {
+      const suffix = note ? `  (${note})` : '';
+      console.error(fmt('dim', `         ${name.padEnd(18)} ${url}${suffix}`));
+    }
+    return 1;
+  }
+  const engineRef = typeof config.reviewEngine === 'string' ? config.reviewEngine
+    : (config.reviewEngine?.adapter ?? 'auto');
+  let engine: ReviewEngine;
+  try {
+    engine = await loadAdapter<ReviewEngine>({
+      point: 'review-engine',
+      ref: engineRef,
+      options: typeof config.reviewEngine === 'object' ? config.reviewEngine.options as Record<string, unknown> : undefined,
+    });
+  } catch (err) {
+    console.error(fmt('red', `[scan] Could not load review engine: ${err instanceof Error ? err.message : String(err)}`));
+    return 1;
+  }
+
+  const focusLabel = options.focus && options.focus !== 'all' ? options.focus : null;
+  const relFiles = files.map(f => path.relative(cwd, f));
+
+  console.log('');
+  const scopeDesc = options.all ? 'entire codebase' : relFiles.slice(0, 3).join(', ') + (relFiles.length > 3 ? ` +${relFiles.length - 3} more` : '');
+  console.log(fmt('bold', `[guardrail scan]`) + fmt('dim', ` ${files.length} file(s) — ${scopeDesc}`));
+  if (options.ask) console.log(fmt('dim', `  question: ${options.ask}`));
+  if (focusLabel) console.log(fmt('dim', `  focus: ${focusLabel}`));
+  console.log('');
+
+  // Build a focused git summary / prompt context
+  const focusHint = buildFocusHint(options.ask, focusLabel);
+
+  const result = await runReviewPhase({
+    touchedFiles: relFiles,
+    engine,
+    config,
+    cwd,
+    gitSummary: focusHint,
+  });
+
+  // Apply ignore rules
+  const ignoreRules = [...loadIgnoreRules(cwd), ...parseConfigIgnore(config.ignore)];
+  const findings = applyIgnoreRules(result.findings, ignoreRules);
+
+  // Print results
+  if (findings.length === 0 && options.ask && result.rawOutputs && result.rawOutputs.length > 0) {
+    // --ask returned prose rather than structured findings — surface raw response
+    console.log(fmt('cyan', `Answer:`));
+    for (const raw of result.rawOutputs) {
+      // Strip markdown fences and the ## Findings / ## Review Summary headers if present
+      const cleaned = raw.replace(/^##\s+Review Summary\s*\n/gm, '').replace(/^##\s+Findings\s*\n/gm, '').trim();
+      console.log(cleaned);
+    }
+    console.log('');
+  } else if (findings.length === 0) {
+    console.log(fmt('green', '✓ No findings'));
+  } else {
+    const critical = findings.filter(f => f.severity === 'critical');
+    const warnings = findings.filter(f => f.severity === 'warning');
+    const notes    = findings.filter(f => f.severity === 'note');
+
+    if (critical.length > 0) {
+      console.log(fmt('red', `🚨 ${critical.length} critical`));
+      for (const f of critical) {
+        const loc = f.file && f.file !== '<unspecified>' ? fmt('dim', `${f.file}${f.line ? `:${f.line}` : ''}`) + ' ' : '';
+        console.log(`  ${loc}${f.message}`);
+        if (f.suggestion) console.log(fmt('dim', `    → ${f.suggestion}`));
+      }
+      console.log('');
+    }
+    if (warnings.length > 0) {
+      console.log(fmt('yellow', `⚠  ${warnings.length} warning${warnings.length !== 1 ? 's' : ''}`));
+      for (const f of warnings) {
+        const loc = f.file && f.file !== '<unspecified>' ? fmt('dim', `${f.file}${f.line ? `:${f.line}` : ''}`) + ' ' : '';
+        console.log(`  ${loc}${f.message}`);
+        if (f.suggestion) console.log(fmt('dim', `    → ${f.suggestion}`));
+      }
+      console.log('');
+    }
+    if (notes.length > 0) {
+      console.log(fmt('dim', `ℹ  ${notes.length} note${notes.length !== 1 ? 's' : ''}`));
+      for (const f of notes) {
+        const loc = f.file && f.file !== '<unspecified>' ? `${f.file}${f.line ? `:${f.line}` : ''} ` : '';
+        console.log(fmt('dim', `  ${loc}${f.message}`));
+      }
+      console.log('');
+    }
+  }
+
+  // Persist findings so `guardrail fix` can read them
+  saveCachedFindings(cwd, findings);
+
+  if (result.costUSD !== undefined) {
+    console.log(fmt('dim', `  $${result.costUSD.toFixed(4)} · ${result.durationMs}ms`));
+  }
+
+  const fixable = findings.filter(f => f.severity === 'critical' || f.severity === 'warning');
+  if (fixable.length > 0) {
+    console.log(fmt('dim', `  → run \`guardrail fix\` to auto-fix ${fixable.length} finding${fixable.length !== 1 ? 's' : ''}`));
+  }
+
+  return findings.some(f => f.severity === 'critical') ? 1 : 0;
+}
+
+function buildFocusHint(ask: string | undefined, focus: string | null): string {
+  const parts: string[] = [];
+  if (ask) {
+    parts.push(
+      `TARGETED QUESTION (required): The reviewer specifically wants to know: "${ask}". ` +
+      `You MUST answer this question using the structured findings format. ` +
+      `Even if no issues are found, output at least one ### [NOTE] finding that directly answers the question.`,
+    );
+  }
+  if (focus === 'security') parts.push('Focus: security vulnerabilities, auth issues, injection risks, data exposure');
+  if (focus === 'logic') parts.push('Focus: logic bugs, incorrect behavior, edge cases, null handling, async errors');
+  if (focus === 'performance') parts.push('Focus: performance issues, N+1 queries, blocking I/O, memory leaks');
+  return parts.join(' | ');
+}