npm - @delegance/claude-autopilot - Versions diffs - 5.0.1 → 5.0.3 - Mend

@delegance/claude-autopilot 5.0.1 → 5.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (412) hide show

package/dist/src/adapters/review-engine/codex.js +13 -1
package/dist/src/cli/index.js +39 -1
package/dist/src/cli/preflight.js +17 -4
package/dist/src/cli/scan.js +12 -0
package/package.json +4 -3
package/dist/presets/go/rules/go-sql-injection.d.ts.map +0 -1
package/dist/presets/go/rules/go-sql-injection.js.map +0 -1
package/dist/presets/nextjs-supabase/rules/supabase-rls-bypass.d.ts.map +0 -1
package/dist/presets/nextjs-supabase/rules/supabase-rls-bypass.js.map +0 -1
package/dist/presets/python-fastapi/rules/fastapi-missing-auth.d.ts.map +0 -1
package/dist/presets/python-fastapi/rules/fastapi-missing-auth.js.map +0 -1
package/dist/presets/rails-postgres/rules/rails-sql-injection.d.ts.map +0 -1
package/dist/presets/rails-postgres/rules/rails-sql-injection.js.map +0 -1
package/dist/presets/t3/rules/t3-server-only.d.ts.map +0 -1
package/dist/presets/t3/rules/t3-server-only.js.map +0 -1
package/dist/src/adapters/base.d.ts.map +0 -1
package/dist/src/adapters/base.js.map +0 -1
package/dist/src/adapters/council/claude.d.ts.map +0 -1
package/dist/src/adapters/council/claude.js.map +0 -1
package/dist/src/adapters/council/openai.d.ts.map +0 -1
package/dist/src/adapters/council/openai.js.map +0 -1
package/dist/src/adapters/council/types.d.ts.map +0 -1
package/dist/src/adapters/council/types.js.map +0 -1
package/dist/src/adapters/loader.d.ts.map +0 -1
package/dist/src/adapters/loader.js.map +0 -1
package/dist/src/adapters/migration-runner/supabase.d.ts.map +0 -1
package/dist/src/adapters/migration-runner/supabase.js.map +0 -1
package/dist/src/adapters/migration-runner/types.d.ts.map +0 -1
package/dist/src/adapters/migration-runner/types.js.map +0 -1
package/dist/src/adapters/review-bot-parser/cursor.d.ts.map +0 -1
package/dist/src/adapters/review-bot-parser/cursor.js.map +0 -1
package/dist/src/adapters/review-bot-parser/declarative-base.d.ts.map +0 -1
package/dist/src/adapters/review-bot-parser/declarative-base.js.map +0 -1
package/dist/src/adapters/review-bot-parser/types.d.ts.map +0 -1
package/dist/src/adapters/review-bot-parser/types.js.map +0 -1
package/dist/src/adapters/review-engine/auto.d.ts.map +0 -1
package/dist/src/adapters/review-engine/auto.js.map +0 -1
package/dist/src/adapters/review-engine/claude.d.ts.map +0 -1
package/dist/src/adapters/review-engine/claude.js.map +0 -1
package/dist/src/adapters/review-engine/codex.d.ts.map +0 -1
package/dist/src/adapters/review-engine/codex.js.map +0 -1
package/dist/src/adapters/review-engine/gemini.d.ts.map +0 -1
package/dist/src/adapters/review-engine/gemini.js.map +0 -1
package/dist/src/adapters/review-engine/openai-compatible.d.ts.map +0 -1
package/dist/src/adapters/review-engine/openai-compatible.js.map +0 -1
package/dist/src/adapters/review-engine/parse-output.d.ts.map +0 -1
package/dist/src/adapters/review-engine/parse-output.js.map +0 -1
package/dist/src/adapters/review-engine/prompt-builder.d.ts.map +0 -1
package/dist/src/adapters/review-engine/prompt-builder.js.map +0 -1
package/dist/src/adapters/review-engine/types.d.ts.map +0 -1
package/dist/src/adapters/review-engine/types.js.map +0 -1
package/dist/src/adapters/vcs-host/commit-status.d.ts.map +0 -1
package/dist/src/adapters/vcs-host/commit-status.js.map +0 -1
package/dist/src/adapters/vcs-host/github.d.ts.map +0 -1
package/dist/src/adapters/vcs-host/github.js.map +0 -1
package/dist/src/adapters/vcs-host/types.d.ts.map +0 -1
package/dist/src/adapters/vcs-host/types.js.map +0 -1
package/dist/src/cli/_pkg-root.d.ts.map +0 -1
package/dist/src/cli/_pkg-root.js.map +0 -1
package/dist/src/cli/autoregress-bridge.d.ts.map +0 -1
package/dist/src/cli/autoregress-bridge.js.map +0 -1
package/dist/src/cli/baseline.d.ts.map +0 -1
package/dist/src/cli/baseline.js.map +0 -1
package/dist/src/cli/ci.d.ts.map +0 -1
package/dist/src/cli/ci.js.map +0 -1
package/dist/src/cli/costs.d.ts.map +0 -1
package/dist/src/cli/costs.js.map +0 -1
package/dist/src/cli/council.d.ts.map +0 -1
package/dist/src/cli/council.js.map +0 -1
package/dist/src/cli/detector.d.ts.map +0 -1
package/dist/src/cli/detector.js.map +0 -1
package/dist/src/cli/explain.d.ts.map +0 -1
package/dist/src/cli/explain.js.map +0 -1
package/dist/src/cli/fix.d.ts.map +0 -1
package/dist/src/cli/fix.js.map +0 -1
package/dist/src/cli/hook.d.ts.map +0 -1
package/dist/src/cli/hook.js.map +0 -1
package/dist/src/cli/ignore-helper.d.ts.map +0 -1
package/dist/src/cli/ignore-helper.js.map +0 -1
package/dist/src/cli/index.d.ts.map +0 -1
package/dist/src/cli/index.js.map +0 -1
package/dist/src/cli/lsp.d.ts.map +0 -1
package/dist/src/cli/lsp.js.map +0 -1
package/dist/src/cli/mcp.d.ts.map +0 -1
package/dist/src/cli/mcp.js.map +0 -1
package/dist/src/cli/migrate-v4.d.ts.map +0 -1
package/dist/src/cli/migrate-v4.js.map +0 -1
package/dist/src/cli/pr-comment.d.ts.map +0 -1
package/dist/src/cli/pr-comment.js.map +0 -1
package/dist/src/cli/pr-desc.d.ts.map +0 -1
package/dist/src/cli/pr-desc.js.map +0 -1
package/dist/src/cli/pr-review-comments.d.ts.map +0 -1
package/dist/src/cli/pr-review-comments.js.map +0 -1
package/dist/src/cli/pr.d.ts.map +0 -1
package/dist/src/cli/pr.js.map +0 -1
package/dist/src/cli/preflight.d.ts.map +0 -1
package/dist/src/cli/preflight.js.map +0 -1
package/dist/src/cli/report.d.ts.map +0 -1
package/dist/src/cli/report.js.map +0 -1
package/dist/src/cli/run.d.ts.map +0 -1
package/dist/src/cli/run.js.map +0 -1
package/dist/src/cli/scan.d.ts.map +0 -1
package/dist/src/cli/scan.js.map +0 -1
package/dist/src/cli/setup.d.ts.map +0 -1
package/dist/src/cli/setup.js.map +0 -1
package/dist/src/cli/test-gen.d.ts.map +0 -1
package/dist/src/cli/test-gen.js.map +0 -1
package/dist/src/cli/triage.d.ts.map +0 -1
package/dist/src/cli/triage.js.map +0 -1
package/dist/src/cli/watch.d.ts.map +0 -1
package/dist/src/cli/watch.js.map +0 -1
package/dist/src/cli/worker.d.ts.map +0 -1
package/dist/src/cli/worker.js.map +0 -1
package/dist/src/core/cache/cached-engine.d.ts.map +0 -1
package/dist/src/core/cache/cached-engine.js.map +0 -1
package/dist/src/core/cache/review-cache.d.ts.map +0 -1
package/dist/src/core/cache/review-cache.js.map +0 -1
package/dist/src/core/chunking/index.d.ts.map +0 -1
package/dist/src/core/chunking/index.js.map +0 -1
package/dist/src/core/chunking/risk-ranker.d.ts.map +0 -1
package/dist/src/core/chunking/risk-ranker.js.map +0 -1
package/dist/src/core/config/loader.d.ts.map +0 -1
package/dist/src/core/config/loader.js.map +0 -1
package/dist/src/core/config/preset-resolver.d.ts.map +0 -1
package/dist/src/core/config/preset-resolver.js.map +0 -1
package/dist/src/core/config/schema.d.ts.map +0 -1
package/dist/src/core/config/schema.js.map +0 -1
package/dist/src/core/config/types.d.ts.map +0 -1
package/dist/src/core/config/types.js.map +0 -1
package/dist/src/core/council/config.d.ts.map +0 -1
package/dist/src/core/council/config.js.map +0 -1
package/dist/src/core/council/context.d.ts.map +0 -1
package/dist/src/core/council/context.js.map +0 -1
package/dist/src/core/council/runner.d.ts.map +0 -1
package/dist/src/core/council/runner.js.map +0 -1
package/dist/src/core/council/types.d.ts.map +0 -1
package/dist/src/core/council/types.js.map +0 -1
package/dist/src/core/detect/git-context.d.ts.map +0 -1
package/dist/src/core/detect/git-context.js.map +0 -1
package/dist/src/core/detect/llm-key.d.ts.map +0 -1
package/dist/src/core/detect/llm-key.js.map +0 -1
package/dist/src/core/detect/protected-paths.d.ts.map +0 -1
package/dist/src/core/detect/protected-paths.js.map +0 -1
package/dist/src/core/detect/provider-usage.d.ts.map +0 -1
package/dist/src/core/detect/provider-usage.js.map +0 -1
package/dist/src/core/detect/stack.d.ts.map +0 -1
package/dist/src/core/detect/stack.js.map +0 -1
package/dist/src/core/detect/workspaces.d.ts.map +0 -1
package/dist/src/core/detect/workspaces.js.map +0 -1
package/dist/src/core/errors.d.ts.map +0 -1
package/dist/src/core/errors.js.map +0 -1
package/dist/src/core/findings/dedup.d.ts.map +0 -1
package/dist/src/core/findings/dedup.js.map +0 -1
package/dist/src/core/findings/types.d.ts.map +0 -1
package/dist/src/core/findings/types.js.map +0 -1
package/dist/src/core/fix/generator.d.ts.map +0 -1
package/dist/src/core/fix/generator.js.map +0 -1
package/dist/src/core/git/diff-hunks.d.ts.map +0 -1
package/dist/src/core/git/diff-hunks.js.map +0 -1
package/dist/src/core/git/touched-files.d.ts.map +0 -1
package/dist/src/core/git/touched-files.js.map +0 -1
package/dist/src/core/ignore/index.d.ts.map +0 -1
package/dist/src/core/ignore/index.js.map +0 -1
package/dist/src/core/index.d.ts.map +0 -1
package/dist/src/core/index.js.map +0 -1
package/dist/src/core/logging/ndjson-writer.d.ts.map +0 -1
package/dist/src/core/logging/ndjson-writer.js.map +0 -1
package/dist/src/core/logging/redaction.d.ts.map +0 -1
package/dist/src/core/logging/redaction.js.map +0 -1
package/dist/src/core/mcp/concurrency.d.ts.map +0 -1
package/dist/src/core/mcp/concurrency.js.map +0 -1
package/dist/src/core/mcp/handlers/fix-finding.d.ts.map +0 -1
package/dist/src/core/mcp/handlers/fix-finding.js.map +0 -1
package/dist/src/core/mcp/handlers/get-capabilities.d.ts.map +0 -1
package/dist/src/core/mcp/handlers/get-capabilities.js.map +0 -1
package/dist/src/core/mcp/handlers/get-findings.d.ts.map +0 -1
package/dist/src/core/mcp/handlers/get-findings.js.map +0 -1
package/dist/src/core/mcp/handlers/review-diff.d.ts.map +0 -1
package/dist/src/core/mcp/handlers/review-diff.js.map +0 -1
package/dist/src/core/mcp/handlers/scan-files.d.ts.map +0 -1
package/dist/src/core/mcp/handlers/scan-files.js.map +0 -1
package/dist/src/core/mcp/handlers/validate-fix.d.ts.map +0 -1
package/dist/src/core/mcp/handlers/validate-fix.js.map +0 -1
package/dist/src/core/mcp/run-store.d.ts.map +0 -1
package/dist/src/core/mcp/run-store.js.map +0 -1
package/dist/src/core/mcp/workspace.d.ts.map +0 -1
package/dist/src/core/mcp/workspace.js.map +0 -1
package/dist/src/core/persist/baseline.d.ts.map +0 -1
package/dist/src/core/persist/baseline.js.map +0 -1
package/dist/src/core/persist/cost-log.d.ts.map +0 -1
package/dist/src/core/persist/cost-log.js.map +0 -1
package/dist/src/core/persist/findings-cache.d.ts.map +0 -1
package/dist/src/core/persist/findings-cache.js.map +0 -1
package/dist/src/core/persist/triage.d.ts.map +0 -1
package/dist/src/core/persist/triage.js.map +0 -1
package/dist/src/core/phases/static-rules.d.ts.map +0 -1
package/dist/src/core/phases/static-rules.js.map +0 -1
package/dist/src/core/phases/tests.d.ts.map +0 -1
package/dist/src/core/phases/tests.js.map +0 -1
package/dist/src/core/pipeline/review-phase.d.ts.map +0 -1
package/dist/src/core/pipeline/review-phase.js.map +0 -1
package/dist/src/core/pipeline/run.d.ts.map +0 -1
package/dist/src/core/pipeline/run.js.map +0 -1
package/dist/src/core/runtime/idempotency.d.ts.map +0 -1
package/dist/src/core/runtime/idempotency.js.map +0 -1
package/dist/src/core/runtime/lock.d.ts.map +0 -1
package/dist/src/core/runtime/lock.js.map +0 -1
package/dist/src/core/runtime/state.d.ts.map +0 -1
package/dist/src/core/runtime/state.js.map +0 -1
package/dist/src/core/schema-alignment/detector.d.ts.map +0 -1
package/dist/src/core/schema-alignment/detector.js.map +0 -1
package/dist/src/core/schema-alignment/extractor/index.d.ts.map +0 -1
package/dist/src/core/schema-alignment/extractor/index.js.map +0 -1
package/dist/src/core/schema-alignment/extractor/prisma.d.ts.map +0 -1
package/dist/src/core/schema-alignment/extractor/prisma.js.map +0 -1
package/dist/src/core/schema-alignment/extractor/sql.d.ts.map +0 -1
package/dist/src/core/schema-alignment/extractor/sql.js.map +0 -1
package/dist/src/core/schema-alignment/llm-check.d.ts.map +0 -1
package/dist/src/core/schema-alignment/llm-check.js.map +0 -1
package/dist/src/core/schema-alignment/scanner.d.ts.map +0 -1
package/dist/src/core/schema-alignment/scanner.js.map +0 -1
package/dist/src/core/schema-alignment/types.d.ts.map +0 -1
package/dist/src/core/schema-alignment/types.js.map +0 -1
package/dist/src/core/shell.d.ts.map +0 -1
package/dist/src/core/shell.js.map +0 -1
package/dist/src/core/static-rules/registry.d.ts.map +0 -1
package/dist/src/core/static-rules/registry.js.map +0 -1
package/dist/src/core/static-rules/rules/brand-tokens.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/brand-tokens.js.map +0 -1
package/dist/src/core/static-rules/rules/console-log.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/console-log.js.map +0 -1
package/dist/src/core/static-rules/rules/hardcoded-secrets.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/hardcoded-secrets.js.map +0 -1
package/dist/src/core/static-rules/rules/insecure-redirect.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/insecure-redirect.js.map +0 -1
package/dist/src/core/static-rules/rules/large-file.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/large-file.js.map +0 -1
package/dist/src/core/static-rules/rules/missing-auth.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/missing-auth.js.map +0 -1
package/dist/src/core/static-rules/rules/missing-tests.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/missing-tests.js.map +0 -1
package/dist/src/core/static-rules/rules/npm-audit.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/npm-audit.js.map +0 -1
package/dist/src/core/static-rules/rules/package-lock-sync.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/package-lock-sync.js.map +0 -1
package/dist/src/core/static-rules/rules/schema-alignment.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/schema-alignment.js.map +0 -1
package/dist/src/core/static-rules/rules/sql-injection.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/sql-injection.js.map +0 -1
package/dist/src/core/static-rules/rules/ssrf.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/ssrf.js.map +0 -1
package/dist/src/core/static-rules/rules/todo-fixme.d.ts.map +0 -1
package/dist/src/core/static-rules/rules/todo-fixme.js.map +0 -1
package/dist/src/core/static-rules/tailwind-extractor.d.ts.map +0 -1
package/dist/src/core/static-rules/tailwind-extractor.js.map +0 -1
package/dist/src/core/test-gen/coverage-analyzer.d.ts.map +0 -1
package/dist/src/core/test-gen/coverage-analyzer.js.map +0 -1
package/dist/src/core/test-gen/framework-detector.d.ts.map +0 -1
package/dist/src/core/test-gen/framework-detector.js.map +0 -1
package/dist/src/core/test-gen/test-writer.d.ts.map +0 -1
package/dist/src/core/test-gen/test-writer.js.map +0 -1
package/dist/src/core/ui/design-context-loader.d.ts.map +0 -1
package/dist/src/core/ui/design-context-loader.js.map +0 -1
package/dist/src/core/worker/client.d.ts.map +0 -1
package/dist/src/core/worker/client.js.map +0 -1
package/dist/src/core/worker/lockfile.d.ts.map +0 -1
package/dist/src/core/worker/lockfile.js.map +0 -1
package/dist/src/core/worker/server.d.ts.map +0 -1
package/dist/src/core/worker/server.js.map +0 -1
package/dist/src/formatters/github-annotations.d.ts.map +0 -1
package/dist/src/formatters/github-annotations.js.map +0 -1
package/dist/src/formatters/index.d.ts.map +0 -1
package/dist/src/formatters/index.js.map +0 -1
package/dist/src/formatters/junit.d.ts.map +0 -1
package/dist/src/formatters/junit.js.map +0 -1
package/dist/src/formatters/sarif.d.ts.map +0 -1
package/dist/src/formatters/sarif.js.map +0 -1
package/dist/src/index.d.ts.map +0 -1
package/dist/src/index.js.map +0 -1
package/src/adapters/base.ts +0 -19
package/src/adapters/council/claude.ts +0 -41
package/src/adapters/council/openai.ts +0 -40
package/src/adapters/council/types.ts +0 -7
package/src/adapters/loader.ts +0 -108
package/src/adapters/migration-runner/supabase.ts +0 -56
package/src/adapters/migration-runner/types.ts +0 -36
package/src/adapters/review-bot-parser/cursor.ts +0 -13
package/src/adapters/review-bot-parser/declarative-base.ts +0 -64
package/src/adapters/review-bot-parser/types.ts +0 -9
package/src/adapters/review-engine/auto.ts +0 -94
package/src/adapters/review-engine/claude.ts +0 -100
package/src/adapters/review-engine/codex.ts +0 -82
package/src/adapters/review-engine/gemini.ts +0 -105
package/src/adapters/review-engine/openai-compatible.ts +0 -100
package/src/adapters/review-engine/parse-output.ts +0 -74
package/src/adapters/review-engine/prompt-builder.ts +0 -19
package/src/adapters/review-engine/types.ts +0 -19
package/src/adapters/vcs-host/commit-status.ts +0 -39
package/src/adapters/vcs-host/github.ts +0 -77
package/src/adapters/vcs-host/types.ts +0 -44
package/src/cli/_pkg-root.ts +0 -85
package/src/cli/autoregress-bridge.ts +0 -30
package/src/cli/baseline.ts +0 -125
package/src/cli/ci.ts +0 -45
package/src/cli/costs.ts +0 -80
package/src/cli/council.ts +0 -96
package/src/cli/detector.ts +0 -92
package/src/cli/explain.ts +0 -197
package/src/cli/fix.ts +0 -249
package/src/cli/hook.ts +0 -124
package/src/cli/ignore-helper.ts +0 -116
package/src/cli/index.ts +0 -612
package/src/cli/lsp.ts +0 -200
package/src/cli/mcp.ts +0 -206
package/src/cli/migrate-v4.ts +0 -388
package/src/cli/pr-comment.ts +0 -139
package/src/cli/pr-desc.ts +0 -168
package/src/cli/pr-review-comments.ts +0 -92
package/src/cli/pr.ts +0 -76
package/src/cli/preflight.ts +0 -235
package/src/cli/report.ts +0 -186
package/src/cli/run.ts +0 -425
package/src/cli/scan.ts +0 -233
package/src/cli/setup.ts +0 -191
package/src/cli/test-gen.ts +0 -125
package/src/cli/triage.ts +0 -137
package/src/cli/watch.ts +0 -190
package/src/cli/worker.ts +0 -109
package/src/core/.gitkeep +0 -0
package/src/core/cache/cached-engine.ts +0 -32
package/src/core/cache/review-cache.ts +0 -70
package/src/core/chunking/index.ts +0 -113
package/src/core/chunking/risk-ranker.ts +0 -56
package/src/core/config/loader.ts +0 -53
package/src/core/config/preset-resolver.ts +0 -46
package/src/core/config/schema.ts +0 -181
package/src/core/config/types.ts +0 -98
package/src/core/council/config.ts +0 -71
package/src/core/council/context.ts +0 -17
package/src/core/council/runner.ts +0 -83
package/src/core/council/types.ts +0 -45
package/src/core/detect/git-context.ts +0 -27
package/src/core/detect/llm-key.ts +0 -89
package/src/core/detect/protected-paths.ts +0 -63
package/src/core/detect/provider-usage.ts +0 -74
package/src/core/detect/stack.ts +0 -153
package/src/core/detect/workspaces.ts +0 -103
package/src/core/errors.ts +0 -37
package/src/core/findings/dedup.ts +0 -14
package/src/core/findings/types.ts +0 -39
package/src/core/fix/generator.ts +0 -149
package/src/core/git/diff-hunks.ts +0 -86
package/src/core/git/touched-files.ts +0 -73
package/src/core/ignore/index.ts +0 -54
package/src/core/index.ts +0 -1
package/src/core/logging/ndjson-writer.ts +0 -37
package/src/core/logging/redaction.ts +0 -19
package/src/core/mcp/concurrency.ts +0 -16
package/src/core/mcp/handlers/fix-finding.ts +0 -126
package/src/core/mcp/handlers/get-capabilities.ts +0 -62
package/src/core/mcp/handlers/get-findings.ts +0 -36
package/src/core/mcp/handlers/review-diff.ts +0 -65
package/src/core/mcp/handlers/scan-files.ts +0 -65
package/src/core/mcp/handlers/validate-fix.ts +0 -41
package/src/core/mcp/run-store.ts +0 -85
package/src/core/mcp/workspace.ts +0 -35
package/src/core/persist/baseline.ts +0 -112
package/src/core/persist/cost-log.ts +0 -30
package/src/core/persist/findings-cache.ts +0 -43
package/src/core/persist/triage.ts +0 -112
package/src/core/phases/static-rules.ts +0 -93
package/src/core/phases/tests.ts +0 -51
package/src/core/pipeline/review-phase.ts +0 -182
package/src/core/pipeline/run.ts +0 -116
package/src/core/runtime/idempotency.ts +0 -6
package/src/core/runtime/lock.ts +0 -29
package/src/core/runtime/state.ts +0 -97
package/src/core/schema-alignment/detector.ts +0 -59
package/src/core/schema-alignment/extractor/index.ts +0 -24
package/src/core/schema-alignment/extractor/prisma.ts +0 -21
package/src/core/schema-alignment/extractor/sql.ts +0 -99
package/src/core/schema-alignment/llm-check.ts +0 -91
package/src/core/schema-alignment/scanner.ts +0 -107
package/src/core/schema-alignment/types.ts +0 -43
package/src/core/shell.ts +0 -48
package/src/core/static-rules/registry.ts +0 -59
package/src/core/static-rules/rules/brand-tokens.ts +0 -145
package/src/core/static-rules/rules/console-log.ts +0 -42
package/src/core/static-rules/rules/hardcoded-secrets.ts +0 -83
package/src/core/static-rules/rules/insecure-redirect.ts +0 -67
package/src/core/static-rules/rules/large-file.ts +0 -37
package/src/core/static-rules/rules/missing-auth.ts +0 -70
package/src/core/static-rules/rules/missing-tests.ts +0 -57
package/src/core/static-rules/rules/npm-audit.ts +0 -38
package/src/core/static-rules/rules/package-lock-sync.ts +0 -54
package/src/core/static-rules/rules/schema-alignment.ts +0 -132
package/src/core/static-rules/rules/sql-injection.ts +0 -71
package/src/core/static-rules/rules/ssrf.ts +0 -63
package/src/core/static-rules/rules/todo-fixme.ts +0 -40
package/src/core/static-rules/tailwind-extractor.ts +0 -38
package/src/core/test-gen/coverage-analyzer.ts +0 -93
package/src/core/test-gen/framework-detector.ts +0 -21
package/src/core/test-gen/test-writer.ts +0 -33
package/src/core/ui/design-context-loader.ts +0 -87
package/src/core/worker/client.ts +0 -46
package/src/core/worker/lockfile.ts +0 -38
package/src/core/worker/server.ts +0 -81
package/src/formatters/github-annotations.ts +0 -36
package/src/formatters/index.ts +0 -3
package/src/formatters/junit.ts +0 -52
package/src/formatters/sarif.ts +0 -103
package/src/index.ts +0 -3

package/src/cli/run.ts DELETED Viewed

@@ -1,425 +0,0 @@
-#!/usr/bin/env node
-import * as path from 'node:path';
-import * as fs from 'node:fs';
-// Load .env.local / .env so OPENAI_API_KEY etc. are available without shell export
-const ENV_FILES = ['.env.local', '.env.dev', '.env.development', '.env'];
-for (const f of ENV_FILES) {
-  const p = path.join(process.cwd(), f);
-  if (!fs.existsSync(p)) continue;
-  for (const line of fs.readFileSync(p, 'utf8').split('\n')) {
-    const t = line.trim();
-    if (!t || t.startsWith('#')) continue;
-    const eq = t.indexOf('=');
-    if (eq < 0) continue;
-    const key = t.slice(0, eq).trim();
-    if (!process.env[key]) {
-      process.env[key] = t.slice(eq + 1).trim().replace(/^['"]|['"]$/g, '');
-    }
-  }
-  break;
-}
-import { loadConfig } from '../core/config/loader.ts';
-import { loadRulesFromConfig } from '../core/static-rules/registry.ts';
-import { resolvePreset } from '../core/config/preset-resolver.ts';
-import { mergeConfigs } from '../core/config/preset-resolver.ts';
-import { loadAdapter } from '../adapters/loader.ts';
-import { runGuardrail } from '../core/pipeline/run.ts';
-import { resolveGitTouchedFiles } from '../core/git/touched-files.ts';
-import type { RunInput } from '../core/pipeline/run.ts';
-import type { ReviewEngine } from '../adapters/review-engine/types.ts';
-import type { GuardrailConfig } from '../core/config/types.ts';
-import { findPackageRoot } from './_pkg-root.ts';
-import { toSarif } from '../formatters/sarif.ts';
-import { toJUnit } from '../formatters/junit.ts';
-import { loadTriage, filterTriaged } from '../core/persist/triage.ts';
-import { emitAnnotations } from '../formatters/github-annotations.ts';
-import { detectStack } from '../core/detect/stack.ts';
-import { detectProtectedPaths } from '../core/detect/protected-paths.ts';
-import { detectGitContext } from '../core/detect/git-context.ts';
-import { detectWorkspaces, mapFilesToWorkspaces } from '../core/detect/workspaces.ts';
-import { detectProject } from './detector.ts';
-import { detectPrNumber, formatComment, postPrComment } from './pr-comment.ts';
-import { postReviewComments } from './pr-review-comments.ts';
-import { loadIgnoreRules, parseConfigIgnore, applyIgnoreRules } from '../core/ignore/index.ts';
-import { detectLLMKey, LLM_KEY_HINTS } from '../core/detect/llm-key.ts';
-import { loadCachedFindings, saveCachedFindings, filterNewFindings } from '../core/persist/findings-cache.ts';
-import { loadBaseline, filterBaselined } from '../core/persist/baseline.ts';
-import { appendCostLog } from '../core/persist/cost-log.ts';
-import { postCommitStatus, resolveCommitSha } from '../adapters/vcs-host/commit-status.ts';
-function computeExitCode(findings: { severity: string }[], failOn: string): number {
-  if (failOn === 'none') return 0;
-  const fail = failOn === 'warning' ? ['critical', 'warning']
-    : failOn === 'note' ? ['critical', 'warning', 'note']
-    : ['critical'];
-  return findings.some(f => fail.includes(f.severity)) ? 1 : 0;
-}
-function readToolVersion(): string {
-  const root = findPackageRoot(import.meta.url);
-  if (!root) return 'unknown';
-  const pkgPath = path.join(root, 'package.json');
-  return (JSON.parse(fs.readFileSync(pkgPath, 'utf8')) as { version: string }).version;
-}
-const C = {
-  reset: '\x1b[0m',
-  bold: '\x1b[1m',
-  dim: '\x1b[2m',
-  green: '\x1b[32m',
-  yellow: '\x1b[33m',
-  red: '\x1b[31m',
-  cyan: '\x1b[36m',
-};
-function fmt(color: keyof typeof C, text: string): string {
-  return `${C[color]}${text}${C.reset}`;
-}
-export interface RunCommandOptions {
-  cwd?: string;
-  configPath?: string;
-  base?: string;        // git base ref (default HEAD~1)
-  files?: string[];     // explicit file list (skips git detection)
-  dryRun?: boolean;     // skip review, print what would run
-  diff?: boolean;           // use diff strategy (send git hunks instead of full files)
-  delta?: boolean;          // only report findings not present in last run's baseline
-  newOnly?: boolean;        // only report findings not in committed .guardrail-baseline.json
-  failOn?: 'critical' | 'warning' | 'note' | 'none'; // severity threshold for exit 1
-  inlineComments?: boolean; // post per-line review comments on the PR diff
-  format?: 'text' | 'sarif' | 'junit';
-  outputPath?: string;
-  postComments?: boolean; // post/update summary comment on the open PR
-  skipReview?: boolean;  // skip tests and review phases (static rules only)
-}
-/**
- * Returns an exit code (0 = pass/warn, 1 = fail/error).
- * Never calls process.exit directly — caller decides when to exit.
- */
-export async function runCommand(options: RunCommandOptions = {}): Promise<number> {
-  const cwd = options.cwd ?? process.cwd();
-  const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
-  // Load + merge config (graceful zero-config fallback)
-  let config: GuardrailConfig;
-  if (!fs.existsSync(configPath)) {
-    console.log(fmt('dim', `[run] No guardrail.config.yaml found — using defaults. Run \`npx guardrail setup\` to configure.`));
-    config = { configVersion: 1, reviewEngine: { adapter: 'auto' }, testCommand: null };
-  } else {
-    try {
-      const userConfig = await loadConfig(configPath);
-      if (userConfig.preset) {
-        const preset = await resolvePreset(userConfig.preset);
-        config = mergeConfigs(preset.config, userConfig);
-      } else {
-        config = userConfig;
-      }
-    } catch (err) {
-      console.error(fmt('red', `[run] Config error: ${err instanceof Error ? err.message : String(err)}`));
-      return 1;
-    }
-  }
-  // Fill in missing config fields from auto-detection (track what was auto-detected for logging)
-  const autoDetected: string[] = [];
-  if (!config.stack) {
-    const detected = detectStack(cwd);
-    if (detected) { config = { ...config, stack: detected }; autoDetected.push(`stack: ${detected}`); }
-  }
-  if (!config.protectedPaths || config.protectedPaths.length === 0) {
-    const detected = detectProtectedPaths(cwd);
-    if (detected.length > 0) {
-      config = { ...config, protectedPaths: detected };
-      autoDetected.push(`protected: ${detected.slice(0, 3).join(', ')}${detected.length > 3 ? ` +${detected.length - 3} more` : ''}`);
-    }
-  }
-  if (config.testCommand === undefined) {
-    const detected = detectProject(cwd).testCommand;
-    config = { ...config, testCommand: detected };
-    autoDetected.push(`test: ${detected}`);
-  }
-  // Monorepo workspace detection
-  const workspaces = detectWorkspaces(cwd);
-  if (workspaces && workspaces.length > 0) {
-    autoDetected.push(`workspaces: ${workspaces.length} (${workspaces.map(w => w.name).slice(0, 3).join(', ')}${workspaces.length > 3 ? ` +${workspaces.length - 3} more` : ''})`);
-  }
-  const gitCtx = detectGitContext(cwd);
-  // Resolve touched files
-  const touchedFiles = options.files ?? resolveGitTouchedFiles({ cwd, base: options.base });
-  if (touchedFiles.length === 0) {
-    console.log(fmt('yellow', '[run] No changed files detected — nothing to review.'));
-    console.log(fmt('dim', '      Pass --base <ref> to compare against a different branch/commit.'));
-    return 0;
-  }
-  console.log(`\n${fmt('bold', '[run]')} ${fmt('dim', configPath)}`);
-  console.log(`${fmt('dim', `  ${touchedFiles.length} changed file(s):`)} ${touchedFiles.slice(0, 5).join(', ')}${touchedFiles.length > 5 ? ` … +${touchedFiles.length - 5} more` : ''}`);
-  if (gitCtx.summary) {
-    console.log(fmt('dim', `  ${gitCtx.summary}`));
-  }
-  if (autoDetected.length > 0) {
-    console.log(fmt('dim', `  auto-detected: ${autoDetected.join(' | ')}`));
-  }
-  if (options.dryRun) {
-    console.log(fmt('yellow', '\n[run] Dry run — skipping pipeline execution.\n'));
-    return 0;
-  }
-  // Load review engine (optional — skip gracefully if no API key configured)
-  let reviewEngine: ReviewEngine | undefined;
-  if (config.reviewEngine) {
-    const ref = typeof config.reviewEngine === 'string' ? config.reviewEngine : config.reviewEngine.adapter;
-    if (!detectLLMKey().hasKey && ['auto', 'claude', 'gemini', 'codex', 'openai-compatible'].includes(ref)) {
-      console.log(fmt('yellow', '\n  [run] No LLM API key — set one of:'));
-      for (const { name, url, note } of LLM_KEY_HINTS) {
-        const suffix = note ? `  (${note})` : '';
-        console.log(fmt('dim', `         ${name.padEnd(18)} ${url}${suffix}`));
-      }
-      console.log('');
-    } else {
-      try {
-        reviewEngine = await loadAdapter<ReviewEngine>({
-          point: 'review-engine',
-          ref,
-          options: typeof config.reviewEngine === 'string' ? undefined : config.reviewEngine.options,
-        });
-      } catch (err) {
-        console.error(fmt('yellow', `  [run] Could not load review engine (${ref}): ${err instanceof Error ? err.message : String(err)} — skipping`));
-      }
-    }
-  }
-  // Load static rules from config
-  const staticRules = config.staticRules && config.staticRules.length > 0
-    ? await loadRulesFromConfig(config.staticRules)
-    : [];
-  // Apply --diff flag: override reviewStrategy to 'diff'
-  if (options.diff && config.reviewStrategy !== 'diff') {
-    config = { ...config, reviewStrategy: 'diff' };
-  }
-  // Pre-run cost estimate
-  if (config.cost?.estimateBeforeRun) {
-    const totalChars = touchedFiles.reduce((sum, f) => {
-      try { return sum + fs.statSync(f).size; } catch { return sum; }
-    }, 0);
-    const estTokens = Math.round(totalChars / 4);
-    const estCost = estTokens / 1_000_000 * 3.0; // rough: $3/M tokens (Sonnet)
-    const cap = config.cost?.maxPerRun;
-    console.log(fmt('dim', `  [run] estimated: ~${estTokens.toLocaleString()} tokens, ~$${estCost.toFixed(4)}`
-      + (cap ? ` (cap: $${cap})` : '')));
-  }
-  // Execute pipeline
-  const input: RunInput = {
-    touchedFiles,
-    config,
-    reviewEngine,
-    staticRules,
-    cwd,
-    gitSummary: gitCtx.summary ?? undefined,
-    base: options.base,
-    skipReview: options.skipReview,
-  };
-  // Post pending commit status (best-effort — never fatal)
-  const commitSha = resolveCommitSha(cwd);
-  if (commitSha) {
-    postCommitStatus({ sha: commitSha, state: 'pending', description: `Reviewing ${touchedFiles.length} file(s)…`, cwd });
-  }
-  console.log('');
-  const result = await runGuardrail(input);
-  // Apply .guardrail-ignore + config ignore: rules
-  const ignoreRules = [...loadIgnoreRules(cwd), ...parseConfigIgnore(config.ignore)];
-  if (ignoreRules.length > 0) {
-    const before = result.allFindings.length;
-    result.allFindings = applyIgnoreRules(result.allFindings, ignoreRules);
-    for (const phase of result.phases) {
-      phase.findings = applyIgnoreRules(phase.findings, ignoreRules);
-    }
-    const suppressed = before - result.allFindings.length;
-    if (suppressed > 0) {
-      console.log(fmt('dim', `  [run] ${suppressed} finding${suppressed !== 1 ? 's' : ''} suppressed by .guardrail-ignore`));
-    }
-  }
-  // Delta mode: filter to only new findings vs last run's cache, then persist
-  if (options.delta) {
-    const cached = loadCachedFindings(cwd);
-    const before = result.allFindings.length;
-    result.allFindings = filterNewFindings(result.allFindings, cached);
-    for (const phase of result.phases) {
-      phase.findings = filterNewFindings(phase.findings, cached);
-    }
-    const existing = before - result.allFindings.length;
-    if (existing > 0) {
-      console.log(fmt('dim', `  [run] ${existing} pre-existing finding${existing !== 1 ? 's' : ''} hidden (--delta mode)`));
-    }
-  }
-  // --new-only / policy.newOnly: filter against committed .guardrail-baseline.json
-  const policy = config.policy ?? {};
-  const newOnly = options.newOnly ?? policy.newOnly ?? false;
-  if (newOnly) {
-    const baseline = loadBaseline(cwd, policy.baselinePath);
-    if (baseline) {
-      const { newFindings, baselinedCount } = filterBaselined(result.allFindings, baseline);
-      result.allFindings = newFindings;
-      for (const phase of result.phases) {
-        phase.findings = filterBaselined(phase.findings, baseline).newFindings;
-      }
-      if (baselinedCount > 0) {
-        console.log(fmt('dim', `  [run] ${baselinedCount} baselined finding${baselinedCount !== 1 ? 's' : ''} suppressed (--new-only)`));
-      }
-    } else {
-      console.log(fmt('yellow', '  [run] --new-only: no .guardrail-baseline.json found — showing all findings'));
-      console.log(fmt('dim',    '         Run `guardrail baseline create` after first scan to pin the baseline'));
-    }
-  }
-  // Triage filter: suppress accepted-risk / false-positive findings
-  const triageStore = loadTriage(cwd);
-  if (triageStore.entries.length > 0) {
-    const { active, triageCount } = filterTriaged(result.allFindings, triageStore);
-    if (triageCount > 0) {
-      result.allFindings = active;
-      for (const phase of result.phases) {
-        phase.findings = filterTriaged(phase.findings, triageStore).active;
-      }
-      console.log(fmt('dim', `  [run] ${triageCount} triaged finding${triageCount !== 1 ? 's' : ''} suppressed (accepted-risk / false-positive)`));
-    }
-  }
-  // Always persist the unfiltered findings as the run cache
-  saveCachedFindings(cwd, result.allFindings);
-  // Append to per-run cost log
-  const reviewPhase = result.phases.find(p => p.phase === 'review') as { usage?: { input: number; output: number } } | undefined;
-  appendCostLog(cwd, {
-    timestamp: new Date().toISOString(),
-    files: touchedFiles.length,
-    inputTokens: reviewPhase?.usage?.input ?? 0,
-    outputTokens: reviewPhase?.usage?.output ?? 0,
-    costUSD: result.totalCostUSD ?? 0,
-    durationMs: result.durationMs,
-  });
-  // emitAnnotations is a no-op unless GITHUB_ACTIONS=true
-  emitAnnotations(result.allFindings);
-  // Write SARIF output if requested
-  if (options.format === 'sarif' && options.outputPath) {
-    const sarif = toSarif(result, { toolVersion: readToolVersion(), cwd });
-    fs.mkdirSync(path.dirname(path.resolve(options.outputPath)), { recursive: true });
-    fs.writeFileSync(options.outputPath, JSON.stringify(sarif, null, 2), 'utf8');
-    console.log(fmt('dim', `[run] SARIF written to ${options.outputPath}`));
-  }
-  // Write JUnit XML output if requested
-  if (options.format === 'junit' && options.outputPath) {
-    const junit = toJUnit(result);
-    fs.mkdirSync(path.dirname(path.resolve(options.outputPath)), { recursive: true });
-    fs.writeFileSync(options.outputPath, junit, 'utf8');
-    console.log(fmt('dim', `[run] JUnit XML written to ${options.outputPath}`));
-  }
-  // Post inline PR review comments if requested
-  if (options.inlineComments) {
-    const pr = detectPrNumber(cwd);
-    if (!pr) {
-      console.log(fmt('yellow', '  [run] --inline-comments: no open PR found — skipping'));
-    } else {
-      try {
-        const { posted, skipped } = await postReviewComments(pr, result.allFindings, cwd);
-        console.log(fmt('dim', `  [run] PR #${pr} inline review: ${posted} comment${posted !== 1 ? 's' : ''} posted${skipped > 0 ? `, ${skipped} skipped (no line number)` : ''}`));
-      } catch (err) {
-        console.error(fmt('yellow', `  [run] Failed to post inline comments: ${err instanceof Error ? err.message : String(err)}`));
-      }
-    }
-  }
-  // Post PR comment if requested
-  if (options.postComments) {
-    const pr = detectPrNumber(cwd);
-    if (!pr) {
-      console.log(fmt('yellow', '  [run] --post-comments: no open PR found — skipping comment'));
-    } else {
-      try {
-        const body = formatComment(result, config, gitCtx, touchedFiles.length);
-        const { action } = await postPrComment(pr, body, cwd);
-        console.log(fmt('dim', `  [run] PR #${pr} comment ${action}`));
-      } catch (err) {
-        console.error(fmt('yellow', `  [run] Failed to post PR comment: ${err instanceof Error ? err.message : String(err)}`));
-      }
-    }
-  }
-  // Print phase summaries
-  for (const phase of result.phases) {
-    const icon = phase.status === 'pass' ? fmt('green', '✓') :
-                 phase.status === 'skip' ? fmt('dim', '–') :
-                 phase.status === 'warn' ? fmt('yellow', '!') : fmt('red', '✗');
-    const phaseLabel = phase.phase.padEnd(14);
-    const findingCount = phase.findings.length;
-    const extra = findingCount > 0 ? fmt('dim', ` (${findingCount} finding${findingCount !== 1 ? 's' : ''})`) : '';
-    const dur = 'durationMs' in phase ? fmt('dim', ` ${phase.durationMs}ms`) : '';
-    console.log(`  ${icon}  ${phaseLabel}${extra}${dur}`);
-    // Print critical/warning findings inline
-    for (const f of phase.findings) {
-      if (f.severity === 'critical' || f.severity === 'warning') {
-        const sev = f.severity === 'critical' ? fmt('red', 'CRITICAL') : fmt('yellow', 'WARNING ');
-        console.log(`       ${sev}  ${f.file}${f.line ? `:${f.line}` : ''} — ${f.message}`);
-        if (f.suggestion) console.log(fmt('dim', `                ${f.suggestion}`));
-      }
-    }
-  }
-  // Cost summary
-  if (result.totalCostUSD !== undefined) {
-    console.log(`\n  ${fmt('dim', `cost: $${result.totalCostUSD.toFixed(4)}`)}  ${fmt('dim', `${result.durationMs}ms total`)}`);
-  } else {
-    console.log(`\n  ${fmt('dim', `${result.durationMs}ms total`)}`);
-  }
-  // Post final commit status
-  if (commitSha) {
-    const critical = result.allFindings.filter(f => f.severity === 'critical').length;
-    const warnings = result.allFindings.filter(f => f.severity === 'warning').length;
-    const state = result.status === 'fail' ? 'failure' : 'success';
-    const desc = result.status === 'pass'
-      ? 'All checks passed'
-      : result.status === 'warn'
-        ? `Passed with ${warnings} warning${warnings !== 1 ? 's' : ''}`
-        : `${critical} critical finding${critical !== 1 ? 's' : ''}`;
-    postCommitStatus({ sha: commitSha, state, description: desc, cwd });
-  }
-  // Final verdict — apply policy.failOn threshold
-  const failOn = options.failOn ?? policy.failOn ?? 'critical';
-  const exitCode = computeExitCode(result.allFindings, failOn);
-  console.log('');
-  if (exitCode === 0 && result.status !== 'pass') {
-    const reason = failOn === 'none' ? ' (policy: fail-on=none)' : ` (policy: fail-on=${failOn})`;
-    console.log(fmt('yellow', `[run] ! Passed with findings${reason}\n`));
-  } else if (result.status === 'pass') {
-    console.log(fmt('green', '[run] ✓ All phases passed\n'));
-  } else if (result.status === 'warn') {
-    console.log(fmt('yellow', '[run] ! Passed with warnings\n'));
-  } else {
-    console.log(fmt('red', '[run] ✗ Pipeline failed — see findings above\n'));
-  }
-  return exitCode;
-}

package/src/cli/scan.ts DELETED Viewed

@@ -1,233 +0,0 @@
-import * as path from 'node:path';
-import * as fs from 'node:fs';
-import { loadConfig } from '../core/config/loader.ts';
-import { loadAdapter } from '../adapters/loader.ts';
-import type { ReviewEngine } from '../adapters/review-engine/types.ts';
-import { runReviewPhase } from '../core/pipeline/review-phase.ts';
-import { detectStack } from '../core/detect/stack.ts';
-import { loadIgnoreRules, parseConfigIgnore, applyIgnoreRules } from '../core/ignore/index.ts';
-import { saveCachedFindings } from '../core/persist/findings-cache.ts';
-import type { GuardrailConfig } from '../core/config/types.ts';
-import { detectLLMKey, LLM_KEY_HINTS } from '../core/detect/llm-key.ts';
-const C = {
-  reset: '\x1b[0m', bold: '\x1b[1m', dim: '\x1b[2m',
-  green: '\x1b[32m', yellow: '\x1b[33m', red: '\x1b[31m', cyan: '\x1b[36m',
-};
-const fmt = (c: keyof typeof C, t: string) => `${C[c]}${t}${C.reset}`;
-const IGNORED_DIRS = new Set([
-  'node_modules', '.git', 'dist', 'build', '.next', '.nuxt', 'coverage',
-  '.guardrail-cache', '.autopilot', '__pycache__', '.venv', 'vendor',
-]);
-const CODE_EXTS = new Set([
-  '.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs',
-  '.py', '.go', '.rb', '.rs', '.java', '.kt', '.swift',
-  '.c', '.cpp', '.h', '.cs', '.php',
-  '.sql', '.sh', '.bash', '.yaml', '.yml', '.json', '.toml',
-]);
-function collectFiles(target: string, cwd: string): string[] {
-  const abs = path.isAbsolute(target) ? target : path.resolve(cwd, target);
-  if (!fs.existsSync(abs)) return [];
-  const stat = fs.statSync(abs);
-  if (stat.isFile()) return [abs];
-  const results: string[] = [];
-  function walk(dir: string) {
-    for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
-      if (IGNORED_DIRS.has(entry.name)) continue;
-      const full = path.join(dir, entry.name);
-      if (entry.isDirectory()) {
-        walk(full);
-      } else if (entry.isFile() && CODE_EXTS.has(path.extname(entry.name))) {
-        results.push(full);
-      }
-    }
-  }
-  walk(abs);
-  return results;
-}
-function collectAllFiles(cwd: string): string[] {
-  return collectFiles(cwd, cwd);
-}
-export interface ScanCommandOptions {
-  cwd?: string;
-  configPath?: string;
-  targets?: string[];   // explicit paths/dirs to scan
-  all?: boolean;        // scan entire codebase
-  ask?: string;         // targeted question to inject into review prompt
-  focus?: 'security' | 'logic' | 'performance' | 'brand' | 'all';
-  dryRun?: boolean;
-}
-export async function runScan(options: ScanCommandOptions = {}): Promise<number> {
-  const cwd = options.cwd ?? process.cwd();
-  const configPath = options.configPath ?? path.join(cwd, 'guardrail.config.yaml');
-  let config: GuardrailConfig = { configVersion: 1 };
-  if (fs.existsSync(configPath)) {
-    const loaded = await loadConfig(configPath);
-    if (loaded) config = loaded;
-  }
-  // Collect files
-  let files: string[];
-  if (options.all) {
-    files = collectAllFiles(cwd);
-  } else if (options.targets && options.targets.length > 0) {
-    files = options.targets.flatMap(t => collectFiles(t, cwd));
-  } else {
-    console.error(fmt('red', '[scan] Specify a path, --all, or use `guardrail run` for git-changed files'));
-    console.error(fmt('dim', '  Examples:'));
-    console.error(fmt('dim', '    guardrail scan src/auth/'));
-    console.error(fmt('dim', '    guardrail scan --all'));
-    console.error(fmt('dim', '    guardrail scan --ask "is there SQL injection?" src/db/'));
-    return 1;
-  }
-  // Deduplicate
-  files = [...new Set(files)];
-  if (files.length === 0) {
-    console.log(fmt('yellow', '[scan] No code files found at the specified path(s)'));
-    return 0;
-  }
-  if (options.dryRun) {
-    console.log(fmt('bold', `[scan] Would scan ${files.length} file(s):`));
-    for (const f of files) console.log(fmt('dim', `  ${path.relative(cwd, f)}`));
-    return 0;
-  }
-  // Auto-detect stack if not in config
-  if (!config.stack) {
-    config = { ...config, stack: detectStack(cwd) ?? undefined };
-  }
-  // Build review engine
-  if (!detectLLMKey().hasKey) {
-    console.error(fmt('red', '[scan] No LLM API key — set one of:'));
-    for (const { name, url, note } of LLM_KEY_HINTS) {
-      const suffix = note ? `  (${note})` : '';
-      console.error(fmt('dim', `         ${name.padEnd(18)} ${url}${suffix}`));
-    }
-    return 1;
-  }
-  const engineRef = typeof config.reviewEngine === 'string' ? config.reviewEngine
-    : (config.reviewEngine?.adapter ?? 'auto');
-  let engine: ReviewEngine;
-  try {
-    engine = await loadAdapter<ReviewEngine>({
-      point: 'review-engine',
-      ref: engineRef,
-      options: typeof config.reviewEngine === 'object' ? config.reviewEngine.options as Record<string, unknown> : undefined,
-    });
-  } catch (err) {
-    console.error(fmt('red', `[scan] Could not load review engine: ${err instanceof Error ? err.message : String(err)}`));
-    return 1;
-  }
-  const focusLabel = options.focus && options.focus !== 'all' ? options.focus : null;
-  const relFiles = files.map(f => path.relative(cwd, f));
-  console.log('');
-  const scopeDesc = options.all ? 'entire codebase' : relFiles.slice(0, 3).join(', ') + (relFiles.length > 3 ? ` +${relFiles.length - 3} more` : '');
-  console.log(fmt('bold', `[scan]`) + fmt('dim', ` ${files.length} file(s) — ${scopeDesc}`));
-  if (options.ask) console.log(fmt('dim', `  question: ${options.ask}`));
-  if (focusLabel) console.log(fmt('dim', `  focus: ${focusLabel}`));
-  console.log('');
-  // Build a focused git summary / prompt context
-  const focusHint = buildFocusHint(options.ask, focusLabel);
-  const result = await runReviewPhase({
-    touchedFiles: relFiles,
-    engine,
-    config,
-    cwd,
-    gitSummary: focusHint,
-  });
-  // Apply ignore rules
-  const ignoreRules = [...loadIgnoreRules(cwd), ...parseConfigIgnore(config.ignore)];
-  const findings = applyIgnoreRules(result.findings, ignoreRules);
-  // Print results
-  if (findings.length === 0 && options.ask && result.rawOutputs && result.rawOutputs.length > 0) {
-    // --ask returned prose rather than structured findings — surface raw response
-    console.log(fmt('cyan', `Answer:`));
-    for (const raw of result.rawOutputs) {
-      // Strip markdown fences and the ## Findings / ## Review Summary headers if present
-      const cleaned = raw.replace(/^##\s+Review Summary\s*\n/gm, '').replace(/^##\s+Findings\s*\n/gm, '').trim();
-      console.log(cleaned);
-    }
-    console.log('');
-  } else if (findings.length === 0) {
-    console.log(fmt('green', '✓ No findings'));
-  } else {
-    const critical = findings.filter(f => f.severity === 'critical');
-    const warnings = findings.filter(f => f.severity === 'warning');
-    const notes    = findings.filter(f => f.severity === 'note');
-    if (critical.length > 0) {
-      console.log(fmt('red', `🚨 ${critical.length} critical`));
-      for (const f of critical) {
-        const loc = f.file && f.file !== '<unspecified>' ? fmt('dim', `${f.file}${f.line ? `:${f.line}` : ''}`) + ' ' : '';
-        console.log(`  ${loc}${f.message}`);
-        if (f.suggestion) console.log(fmt('dim', `    → ${f.suggestion}`));
-      }
-      console.log('');
-    }
-    if (warnings.length > 0) {
-      console.log(fmt('yellow', `⚠  ${warnings.length} warning${warnings.length !== 1 ? 's' : ''}`));
-      for (const f of warnings) {
-        const loc = f.file && f.file !== '<unspecified>' ? fmt('dim', `${f.file}${f.line ? `:${f.line}` : ''}`) + ' ' : '';
-        console.log(`  ${loc}${f.message}`);
-        if (f.suggestion) console.log(fmt('dim', `    → ${f.suggestion}`));
-      }
-      console.log('');
-    }
-    if (notes.length > 0) {
-      console.log(fmt('dim', `ℹ  ${notes.length} note${notes.length !== 1 ? 's' : ''}`));
-      for (const f of notes) {
-        const loc = f.file && f.file !== '<unspecified>' ? `${f.file}${f.line ? `:${f.line}` : ''} ` : '';
-        console.log(fmt('dim', `  ${loc}${f.message}`));
-      }
-      console.log('');
-    }
-  }
-  // Persist findings so `guardrail fix` can read them
-  saveCachedFindings(cwd, findings);
-  if (result.costUSD !== undefined) {
-    console.log(fmt('dim', `  $${result.costUSD.toFixed(4)} · ${result.durationMs}ms`));
-  }
-  const fixable = findings.filter(f => f.severity === 'critical' || f.severity === 'warning');
-  if (fixable.length > 0) {
-    console.log(fmt('dim', `  → run \`guardrail fix\` to auto-fix ${fixable.length} finding${fixable.length !== 1 ? 's' : ''}`));
-  }
-  return findings.some(f => f.severity === 'critical') ? 1 : 0;
-}
-function buildFocusHint(ask: string | undefined, focus: string | null): string {
-  const parts: string[] = [];
-  if (ask) {
-    parts.push(
-      `TARGETED QUESTION (required): The reviewer specifically wants to know: "${ask}". ` +
-      `You MUST answer this question using the structured findings format. ` +
-      `Even if no issues are found, output at least one ### [NOTE] finding that directly answers the question.`,
-    );
-  }
-  if (focus === 'security') parts.push('Focus: security vulnerabilities, auth issues, injection risks, data exposure');
-  if (focus === 'logic') parts.push('Focus: logic bugs, incorrect behavior, edge cases, null handling, async errors');
-  if (focus === 'performance') parts.push('Focus: performance issues, N+1 queries, blocking I/O, memory leaks');
-  return parts.join(' | ');
-}