@eduardbar/drift 1.3.0 → 1.5.0

package/README.md

@@ -51,12 +51,63 @@ npm install --save-dev @eduardbar/drift
 
 - Product requirements and roadmap: [`docs/PRD.md`](./docs/PRD.md)
 - Trust core release checklist: [`docs/trust-core-release-checklist.md`](./docs/trust-core-release-checklist.md)
+- Rules catalog (source-of-truth snapshot): [`docs/rules-catalog.md`](./docs/rules-catalog.md)
 - Contributor/agent workflow guide: [`docs/AGENTS.md`](./docs/AGENTS.md)
 
 ---
 
 ## Commands
 
+### `drift init`
+
+Scaffold first-run setup for drift in an existing repository.
+
+```bash
+drift init
+drift init --preset node-backend
+drift init --preset react-app --ci --baseline
+```
+
+| Flag | Description |
+|------|-------------|
+| `--preset <type>` | Generate `drift.config.ts` using one of: `node-backend`, `react-app`, `hexagonal`, `monorepo` |
+| `--ci` | Generate `.github/workflows/drift-review.yml` |
+| `--baseline` | Generate `drift-baseline.json` from the current scan |
+
+`drift init` is non-destructive for pre-existing targets: drift skips generation when an output file already exists and prints a warning.
+
+---
+
+### `drift doctor`
+
+Run environment diagnostics for Node/runtime and project readiness.
+
+```bash
+drift doctor
+drift doctor --json
+```
+
+| Flag | Description |
+|------|-------------|
+| `--json` | Output structured doctor report JSON |
+
+Checks include Node major version support (`>=20`), `package.json`, ESM mode, `tsconfig.json`, source file count, optional `--low-memory` recommendation, and `drift.config.*` detection.
+
+When `--json` is enabled, output includes `$schema` and `toolVersion` metadata and follows [`schemas/drift-doctor.v1.json`](./schemas/drift-doctor.v1.json).
+
+---
+
+### Repository smoke (local source CLI)
+
+Run a non-destructive end-to-end smoke suite against any repository path using local source commands (`node --import tsx ./src/cli.ts ...`).
+
+```bash
+npm run smoke:repo -- ../target-repo --base origin/main
+npm run smoke:repo -- ../target-repo --dry-run
+```
+
+The script writes JSON + Markdown summaries and command logs under `.drift-smoke/<repo>-<timestamp>/`.
+
 ### `drift scan [path]`
 
 Scan a directory and print a scored report to stdout.
@@ -77,16 +128,19 @@ drift scan ./src --low-memory --max-file-size-kb 1024
 | Flag | Description |
 |------|-------------|
 | `--output <file>` | Write Markdown report to a file instead of stdout |
+| `--format <type>` | Output format: `console\|json\|markdown\|ai\|sarif` |
 | `--json` | Output raw `DriftReport` JSON |
 | `--ai` | Output structured JSON optimized for LLM consumption (Claude, GPT, etc.) |
 | `--fix` | Print inline fix suggestions for each detected issue |
-| `--min-score <n>` | Exit with code 1 if the overall score meets or exceeds this threshold |
+| `--min-score <n>` | Exit with code 1 if the overall score strictly exceeds this threshold |
 | `--low-memory` | Analyze files in bounded chunks to reduce peak RAM |
 | `--chunk-size <n>` | Files per chunk in low-memory mode (default: 40) |
 | `--max-files <n>` | Soft cap on analyzed files; extra files are skipped with diagnostics |
 | `--max-file-size-kb <n>` | Skip oversized files with diagnostics to avoid OOM |
 | `--with-semantic-duplication` | Keep semantic duplication rule enabled in low-memory mode |
 
+`--min-score` currently fails when `totalScore > n` (strictly greater than), matching CLI behavior.
+
 **Example output:**
 
 ```
@@ -113,6 +167,35 @@ drift scan ./src --low-memory --max-file-size-kb 1024
 
 ---
 
+### `drift guard [path]`
+
+Evaluate drift regression guardrails against a git diff (`--base`) or a baseline file/object.
+
+```bash
+drift guard ./src --base origin/main
+drift guard ./src --baseline drift-baseline.json
+drift guard ./src --base origin/main --budget 3 --by-severity error=0,warning=2,info=5
+drift guard ./src --base origin/main --json
+```
+
+| Flag | Description |
+|------|-------------|
+| `--base <ref>` | Diff mode: compare current state vs git ref |
+| `--baseline <file>` | Baseline mode: compare against baseline JSON (default file name: `drift-baseline.json`) |
+| `--budget <n>` | Maximum allowed score delta |
+| `--by-severity <spec>` | Severity thresholds as CSV `key=value` pairs (`error`, `warning`, `info`) |
+| `--json` | Output full `GuardResult` JSON |
+| `--low-memory` / `--chunk-size <n>` / `--max-files <n>` / `--max-file-size-kb <n>` / `--with-semantic-duplication` | Analysis resource controls shared with scan/diff/report/badge/ci/trust |
+
+Behavior:
+- With `--base`, guard enforces no-regression checks for score and total issues, then applies optional budget/severity thresholds.
+- Without `--base`, guard requires a baseline (inline or file) and compares only against available baseline anchors.
+- Exit code is `1` when any guard check fails.
+
+When `--json` is enabled, output includes `$schema` and `toolVersion` metadata and follows [`schemas/drift-guard.v1.json`](./schemas/drift-guard.v1.json).
+
+---
+
 ### `drift diff [ref]`
 
 Compare the current project state against any git ref. Defaults to `HEAD~1`.
@@ -122,6 +205,7 @@ drift diff                # HEAD vs HEAD~1
 drift diff HEAD~3         # HEAD vs 3 commits ago
 drift diff main           # HEAD vs branch main
 drift diff abc1234        # HEAD vs a specific commit
+drift diff --format sarif # Output SARIF for code scanning
 drift diff --json         # Output raw JSON diff
 ```
 
@@ -129,6 +213,7 @@ drift diff --json         # Output raw JSON diff
 
 | Flag | Description |
 |------|-------------|
+| `--format <type>` | Output format: `console\|json\|sarif` |
 | `--json` | Output raw JSON diff |
 
 Shows score delta, issues introduced, and issues resolved since the given ref.
@@ -143,12 +228,14 @@ Review drift against a git base ref and output a PR-ready markdown comment.
 drift review --base origin/main
 drift review --base main --comment
 drift review --base HEAD~3 --json
+drift review --base origin/main --format sarif
 drift review --base origin/main --fail-on 5
 ```
 
 | Flag | Description |
 |------|-------------|
 | `--base <ref>` | Git base ref to compare against (default: `origin/main`) |
+| `--format <type>` | Output format: `console\|json\|markdown\|sarif` |
 | `--json` | Output structured review JSON |
 | `--comment` | Print only the markdown body for PR comments |
 | `--fail-on <n>` | Exit code 1 when score delta is greater than or equal to `n` |
@@ -167,11 +254,12 @@ drift trust ./src
 drift trust ./src --json
 drift trust ./src --base origin/main
 drift trust ./src --base origin/main --markdown
+drift trust ./src --format sarif
 drift trust ./src --markdown --output trust.md
 drift trust ./src --min-trust 45
 drift trust ./src --max-risk HIGH
 drift trust ./src --branch main
-drift trust ./src --branch release/v1.4.0 --policy-pack strict --explain-policy
+drift trust ./src --branch release/v1.5.0 --policy-pack strict --explain-policy
 drift trust ./src --advanced-trust
 drift trust ./src --advanced-trust --previous-trust ./artifacts/prev-trust.json
 drift trust ./src --advanced-trust --history-file ./drift-history.json --markdown
@@ -180,6 +268,7 @@ drift trust ./src --advanced-trust --history-file ./drift-history.json --markdow
 | Flag | Description |
 |------|-------------|
 | `--base <ref>` | Compare against a git base ref and include deterministic diff-aware penalties/bonuses |
+| `--format <type>` | Output format: `console\|json\|markdown\|sarif` |
 | `--json` | Output structured trust JSON (`trust_score`, `merge_risk`, `top_reasons`, `fix_priorities`, optional `diff_context`) |
 | `--markdown` | Output PR-ready markdown trust summary |
 | `--output <file>` | Write selected trust output format to file |
@@ -308,6 +397,7 @@ Emit GitHub Actions annotations and a step summary. Designed to run inside a CI
 ```bash
 drift ci                  # scan current directory
 drift ci ./src
+drift ci ./src --format sarif
 drift ci ./src --min-score 60
 ```
 
@@ -315,7 +405,8 @@ drift ci ./src --min-score 60
 
 | Flag | Description |
 |------|-------------|
-| `--min-score <n>` | Exit with code 1 if the overall score meets or exceeds this threshold |
+| `--format <type>` | Output format: `console\|json\|sarif` |
+| `--min-score <n>` | Exit with code 1 if the overall score strictly exceeds this threshold |
 
 Outputs `::error` and `::warning` annotations visible in the PR diff. Writes a markdown summary to `$GITHUB_STEP_SUMMARY`.
 
@@ -427,36 +518,28 @@ export default {
 
 ## Rules
 
-26 rules across three severity levels. All run automatically unless marked as requiring configuration.
+drift currently defines **35 rule IDs** in `RULE_WEIGHTS` (`src/analyzer.ts`): core detections, configurable architecture checks, AI/meta aggregation, plugin diagnostics, and analysis guardrail diagnostics.
+
+For the complete up-to-date catalog (id, severity, weight, phase/origin, note), see [`docs/rules-catalog.md`](./docs/rules-catalog.md).
+
+Highlights:
 
 | Rule | Severity | Weight | What it detects |
 |------|----------|--------|-----------------|
-| `large-file` | error | 20 | Files exceeding 300 lines — AI generates monolithic files instead of splitting responsibility |
-| `large-function` | error | 15 | Functions exceeding 50 lines — AI avoids decomposing logic into smaller units |
-| `duplicate-function-name` | error | 18 | Function names that appear more than once (case-insensitive) — AI regenerates helpers instead of reusing them |
-| `high-complexity` | error | 15 | Cyclomatic complexity above 10 — AI produces correct code, not necessarily simple code |
-| `circular-dependency` | error | 14 | Circular import chains between modules — AI doesn't reason about module topology |
-| `layer-violation` | error | 16 | Imports that cross architectural layers in the wrong direction (e.g., domain importing from infra) — requires `drift.config.ts` |
-| `debug-leftover` | warning | 10 | `console.log`, `console.warn`, `console.error`, and `TODO` / `FIXME` / `HACK` comments — AI leaves scaffolding in place |
-| `dead-code` | warning | 8 | Named imports that are never used in the file — AI imports broadly |
-| `any-abuse` | warning | 8 | Explicit `any` type annotations — AI defaults to `any` when type inference is unclear |
-| `catch-swallow` | warning | 10 | Empty `catch` blocks — AI makes code not throw without handling the error |
-| `comment-contradiction` | warning | 12 | Comments that restate what the surrounding code already expresses — AI over-documents the obvious |
-| `deep-nesting` | warning | 12 | Control flow nested more than 3 levels deep — results in code that is difficult to follow |
-| `too-many-params` | warning | 8 | Functions with more than 4 parameters — AI avoids grouping related arguments into objects |
-| `high-coupling` | warning | 10 | Files importing from more than 10 distinct modules — AI imports broadly without encapsulation |
-| `promise-style-mix` | warning | 7 | `async/await` and `.then()` / `.catch()` used together in the same file — AI combines styles inconsistently |
-| `unused-export` | warning | 8 | Named exports that are never imported anywhere in the project — cross-file dead code ESLint cannot detect |
-| `dead-file` | warning | 10 | Files never imported by any other file in the project — invisible dead code |
-| `unused-dependency` | warning | 6 | Packages listed in `package.json` with no corresponding import in source files |
-| `cross-boundary-import` | warning | 10 | Imports that cross module boundaries outside the allowed list — requires `drift.config.ts` |
-| `hardcoded-config` | warning | 10 | Hardcoded URLs, IP addresses, secrets, or connection strings — AI skips environment variable abstraction |
-| `inconsistent-error-handling` | warning | 8 | Mixed `try/catch` and `.catch()` patterns in the same file — AI combines approaches without a consistent strategy |
-| `unnecessary-abstraction` | warning | 7 | Wrapper functions or helpers that add no logic over what they wrap — AI over-engineers simple calls |
-| `naming-inconsistency` | warning | 6 | Mixed `camelCase` and `snake_case` in the same module — AI forgets project conventions mid-generation |
-| `semantic-duplication` | warning | 12 | Functions with structurally identical logic despite different names — detected via AST fingerprinting, not text comparison |
-| `no-return-type` | info | 5 | Functions missing an explicit return type annotation |
-| `magic-number` | info | 3 | Numeric literals used directly in logic without a named constant |
+| `large-file` | error | 20 | Files exceeding 300 lines |
+| `duplicate-function-name` | error | 18 | Same function name repeated across a file |
+| `high-complexity` | error | 15 | Cyclomatic complexity above threshold |
+| `layer-violation` | error | 16 | Invalid layer import direction (requires `layers` config) |
+| `cross-boundary-import` | warning | 10 | Invalid module boundary import (requires `modules`/legacy boundaries config) |
+| `controller-no-db` | warning | 11 | Controller touching DB directly (configurable architecture rule) |
+| `service-no-http` | warning | 11 | Service layer coupled to HTTP concerns (configurable architecture rule) |
+| `max-function-lines` | warning | 9 | Function line cap enforced by `architectureRules.maxFunctionLines` |
+| `semantic-duplication` | warning | 12 | AST-level semantic function duplication |
+| `ai-code-smell` | warning | 12 | Aggregated AI-smell signal from multiple heuristics in a file |
+| `plugin-error` | warning | 4 | Plugin load/contract/runtime failure surfaced as issue |
+| `plugin-warning` | info | 0 | Non-fatal plugin validation warning |
+| `analysis-skip-max-files` | info | 0 | File skipped by `maxFiles` guardrail |
+| `analysis-skip-file-size` | info | 0 | File skipped by `maxFileSizeKb` guardrail |
 
 ---
 
@@ -476,7 +559,7 @@ export default {
 
 ## Configuration
 
-drift runs with zero configuration. Architectural rules (`layer-violation`, `cross-boundary-import`) require a `drift.config.ts` (or `.js` / `.json`) at your project root:
+drift runs with zero configuration. Architectural rules (`layer-violation`, `cross-boundary-import`) and configurable architecture checks use `drift.config.ts` (or `.js` / `.json`) at project root:
 
 ```typescript
 import type { DriftConfig } from '@eduardbar/drift'
@@ -509,22 +592,16 @@ export default {
     { name: 'app',     patterns: ['src/app/**'],     canImportFrom: ['domain'] },
     { name: 'infra',   patterns: ['src/infra/**'],   canImportFrom: ['domain', 'app'] },
   ],
-  boundaries: [
+  modules: [
     { name: 'auth',    root: 'src/modules/auth',    allowedExternalImports: ['src/shared'] },
     { name: 'billing', root: 'src/modules/billing', allowedExternalImports: ['src/shared'] },
   ],
-  exclude: [
-    'src/generated/**',
-    '**/*.spec.ts',
-  ],
-  rules: {
-    'large-file': { threshold: 400 },   // override default 300
-    'magic-number': 'off',              // disable a rule
-  },
 } satisfies DriftConfig
 ```
 
-Without a config file, `layer-violation` and `cross-boundary-import` are silently skipped. All other rules run with their defaults.
+For backwards compatibility, `moduleBoundaries` and `boundaries` are normalized to `modules`.
+
+Without a config file, `layer-violation`, `cross-boundary-import`, and configurable architecture checks (`controller-no-db`, `service-no-http`, `max-function-lines`) are skipped. All other rules run with defaults.
 
 ### Memory guardrails (recommended for large repos)
 
@@ -563,7 +640,7 @@ jobs:
         run: npx @eduardbar/drift scan ./src --min-score 60
 ```
 
-Exit code is `1` if the score meets or exceeds `--min-score`. Exit code `0` otherwise.
+Exit code is `1` if the score is strictly greater than `--min-score`. Exit code `0` otherwise.
 
 ### Annotations and step summary with `drift ci`
 
@@ -586,6 +663,29 @@ jobs:
 
 `drift ci` emits `::error` and `::warning` annotations that appear inline in the PR diff and writes a formatted summary to `$GITHUB_STEP_SUMMARY`. Use this when you want visibility beyond a pass/fail exit code.
 
+### Required quality checks for merge and release
+
+This repository enforces `.github/workflows/quality.yml` on `pull_request` and `push` to `main`/`master`.
+
+The workflow runs a required Node.js matrix (`20`, `22`) and executes these checks in each matrix job:
+- `npm ci`
+- `npm run check:runtime-policy`
+- `npm run check:docs-drift`
+- `npm test`
+- `npm run test:coverage`
+- `npm run build`
+- `npm run smoke:repo -- --base HEAD --out .drift-smoke/ci-node-<node>`
+
+Additionally, Node 20 runs a deterministic performance regression gate:
+- `npm run check:perf-budget -- --out .drift-perf/ci-node-20/benchmark-latest.json`
+- Budget source of truth: [`benchmarks/perf-budget.v1.json`](./benchmarks/perf-budget.v1.json)
+
+`check:docs-drift` enforces documentation source-of-truth contracts: package version claims come from `package.json` and rule catalog/count claims come from `RULE_WEIGHTS` in `src/analyzer.ts`.
+
+Coverage artifacts and smoke E2E artifacts are uploaded from each matrix run to support traceability and CI debugging. The perf gate also uploads `.drift-perf/...` artifacts on Node 20.
+
+`publish.yml` now runs `release-verify` before publish, reusing the same quality workflow contract. `publish` only runs after `release-verify` passes.
+
 ### Auto PR comment with `drift review`
 
 The repository includes `.github/workflows/review-pr.yml`, which:
@@ -595,11 +695,45 @@ The repository includes `.github/workflows/review-pr.yml`, which:
 - enforces a trust baseline gate with `drift trust-gate drift-trust.json --min-trust 45 --max-risk HIGH`
 - uploads `drift trust --json` as `drift-trust-json-pr-<PR_NUMBER>-run-<RUN_ATTEMPT>` for manual KPI tracking
 - publishes a compact trust KPI summary in `$GITHUB_STEP_SUMMARY` (score, merge risk, new/resolved issues when diff context is available)
+- generates `drift.sarif` via `drift scan --format sarif`, uploads it to GitHub Code Scanning on non-fork PRs, and stores the SARIF file as workflow artifact for traceability
+
+Quick local SARIF export:
+
+```bash
+drift scan ./src --format sarif > drift.sarif
+```
+
+Example GitHub Code Scanning upload with SARIF:
+
+```yaml
+- name: Generate drift SARIF
+  run: npx @eduardbar/drift scan ./src --format sarif > drift.sarif
+
+- name: Upload SARIF to Code Scanning
+  uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: drift.sarif
+```
 
 Default gate behavior in this repo:
 - fail when trust is below 45
 - fail when merge risk is above `HIGH` (that means `CRITICAL` is blocked)
 
+### GitHub Action contract (v2)
+
+This repo also ships reusable local composite actions:
+
+- `./.github/actions/drift-scan`: score-focused scan gate using `npx @eduardbar/drift@<version>` (no global install).
+- `./.github/actions/drift-review`: trust/review/gate flow for PRs, aligned with `.github/workflows/review-pr.yml`.
+
+`drift-scan` exposes machine-friendly outputs for CI composition:
+- `score`, `grade`, `errors`, `warnings`, `infos`, `total-issues`, `files-affected`, `top-rules`
+
+`drift-review` exposes:
+- `trust-score`, `merge-risk`, `new-issues`, `resolved-issues`, `trust-json`, `trust-markdown`, `review-markdown`
+
+See `.github/actions/drift-scan/README.md` and `.github/actions/drift-review/README.md` for usage details.
+
 ---
 
 ## drift-ignore
@@ -673,7 +807,7 @@ See [CODE_OF_CONDUCT.md](./CODE_OF_CONDUCT.md) before participating.
 | [`commander`](https://github.com/tj/commander.js) | CLI commands and flags |
 | [`kleur`](https://github.com/lukeed/kleur) | Terminal colors (zero dependencies) |
 
-**Runtime:** Node.js 18+ · TypeScript 5.x · ES Modules · Supports TypeScript (`.ts`, `.tsx`) and JavaScript (`.js`, `.jsx`) files
+**Runtime:** Node.js 20.x and 22.x (LTS) · TypeScript 5.x · ES Modules · Supports TypeScript (`.ts`, `.tsx`) and JavaScript (`.js`, `.jsx`) files
 
 ---
 

package/benchmarks/fixtures/critical/drift.config.ts

@@ -0,0 +1,21 @@
+const config = {
+  layers: [
+    { name: 'domain', patterns: ['src/domain/**'], canImportFrom: [] },
+    { name: 'app', patterns: ['src/app/**'], canImportFrom: ['domain'] },
+    { name: 'infra', patterns: ['src/infra/**'], canImportFrom: ['domain', 'app'] },
+  ],
+  architectureRules: {
+    controllerNoDb: true,
+    serviceNoHttp: true,
+    maxFunctionLines: 80,
+  },
+  performance: {
+    lowMemory: false,
+    chunkSize: 40,
+    maxFiles: 200,
+    maxFileSizeKb: 512,
+    includeSemanticDuplication: false,
+  },
+}
+
+export default config

package/benchmarks/fixtures/critical/src/app/user-service.ts

@@ -0,0 +1,30 @@
+import { canAccessBilling, normalizeEmail, type User } from '../domain/entities.js'
+
+export interface UserRepository {
+  findByEmail(email: string): Promise<User | undefined>
+  save(user: User): Promise<void>
+}
+
+export class UserService {
+  constructor(private readonly repo: UserRepository) {}
+
+  async ensureUser(email: string): Promise<User> {
+    const normalizedEmail = normalizeEmail(email)
+    const existing = await this.repo.findByEmail(normalizedEmail)
+    if (existing) return existing
+
+    const created: User = {
+      id: `u-${normalizedEmail}`,
+      email: normalizedEmail,
+      active: true,
+    }
+
+    await this.repo.save(created)
+    return created
+  }
+
+  async canAccessFeature(email: string): Promise<boolean> {
+    const user = await this.ensureUser(email)
+    return canAccessBilling(user)
+  }
+}

package/benchmarks/fixtures/critical/src/domain/entities.ts

@@ -0,0 +1,19 @@
+export type UserId = string
+
+export interface User {
+  id: UserId
+  email: string
+  active: boolean
+}
+
+export function normalizeEmail(email: string): string {
+  return email.trim().toLowerCase()
+}
+
+export function isCompanyEmail(email: string): boolean {
+  return normalizeEmail(email).endsWith('@example.com')
+}
+
+export function canAccessBilling(user: User): boolean {
+  return user.active && isCompanyEmail(user.email)
+}

package/benchmarks/fixtures/critical/src/domain/policies.ts

@@ -0,0 +1,22 @@
+export interface AccessPolicyInput {
+  score: number
+  isInternal: boolean
+  isTrial: boolean
+  hasPaymentIssue: boolean
+}
+
+export function computeTrustTier(input: AccessPolicyInput): 'low' | 'medium' | 'high' {
+  if (input.hasPaymentIssue) return 'low'
+  if (input.score >= 80 && input.isInternal) return 'high'
+  if (input.score >= 60 && !input.isTrial) return 'medium'
+  return 'low'
+}
+
+export function canRunExpensiveChecks(input: AccessPolicyInput): boolean {
+  const tier = computeTrustTier(input)
+  return tier === 'high' || (tier === 'medium' && input.score >= 70)
+}
+
+export function shouldNotifyOps(input: AccessPolicyInput): boolean {
+  return input.hasPaymentIssue || (!input.isInternal && input.score < 45)
+}

package/benchmarks/fixtures/critical/src/index.ts

@@ -0,0 +1,10 @@
+import { UserService } from './app/user-service.js'
+import { MemoryUserRepository } from './infra/memory-user-repo.js'
+
+const service = new UserService(new MemoryUserRepository())
+
+export async function runFixtureFlow(): Promise<boolean> {
+  return service.canAccessFeature('Demo.User@example.com')
+}
+
+void runFixtureFlow()

package/benchmarks/fixtures/critical/src/infra/memory-user-repo.ts

@@ -0,0 +1,14 @@
+import type { User } from '../domain/entities.js'
+import type { UserRepository } from '../app/user-service.js'
+
+export class MemoryUserRepository implements UserRepository {
+  private readonly users = new Map<string, User>()
+
+  async findByEmail(email: string): Promise<User | undefined> {
+    return this.users.get(email)
+  }
+
+  async save(user: User): Promise<void> {
+    this.users.set(user.email, user)
+  }
+}

package/benchmarks/perf-budget.v1.json

@@ -0,0 +1,27 @@
+{
+  "schemaVersion": "drift-perf-budget/v1",
+  "budgetVersion": "2026-03-26",
+  "benchmark": {
+    "fixturePath": "benchmarks/fixtures/critical",
+    "warmupRuns": 1,
+    "measuredRuns": 3
+  },
+  "tolerance": {
+    "runtimePct": 30,
+    "memoryPct": 25
+  },
+  "tasks": {
+    "scan": {
+      "maxMedianMs": 3800,
+      "maxRssMb": 700
+    },
+    "review": {
+      "maxMedianMs": 6500,
+      "maxRssMb": 1300
+    },
+    "trust": {
+      "maxMedianMs": 6500,
+      "maxRssMb": 1300
+    }
+  }
+}

package/dist/benchmark.d.ts

@@ -1,2 +1,2 @@
-export {};
+export declare function runBenchmarkCli(argv?: string[]): Promise<void>;
 //# sourceMappingURL=benchmark.d.ts.map