@eviano/tribunal 0.1.2 → 0.2.0

package/dist/diff/parseUnifiedDiff.js

@@ -4,39 +4,66 @@
  *
  * We deliberately track only new-file line numbers: analyzers reason about the post-change tree, so a
  * "touched" node is one whose new-file line range overlaps `addedLines`.
+ *
+ * Both git-style diffs (`diff --git`) and plain unified diffs (no `diff --git` header, e.g. `diff -u` or
+ * a `git format-patch` body) are supported. A plain diff opens a file record on its first `---`/`+++`
+ * header so a hand-written or piped patch is never silently dropped to `[]`.
  */
 export function parseUnifiedDiff(diff) {
     const files = [];
+    // `current`/`newLine`/`seenPlus` are reassigned across iterations; we read them into a narrowed local
+    // (`rec`) where we use them, since TS can't keep a closure-mutated `let` narrowed through the loop.
     let current = null;
     let newLine = 0;
+    // True once the current record has consumed its `+++` header. A subsequent `---` then starts the next
+    // file (plain unified diffs have no `diff --git` line to delimit files).
+    let seenPlus = false;
     for (const line of diff.split('\n')) {
         if (line.startsWith('diff --git')) {
-            current = { path: '', status: 'modified', addedLines: new Set() };
-            files.push(current);
+            const rec = { path: '', status: 'modified', addedLines: new Set() };
+            files.push(rec);
+            current = rec;
+            seenPlus = false;
             const m = line.match(/^diff --git a\/(.+?) b\/(.+)$/);
             if (m)
-                current.path = m[2];
+                rec.path = m[2];
             continue;
         }
-        if (!current)
+        // A `---` header opens a record for plain (non-git) unified diffs, and separates consecutive files.
+        // In git format `diff --git` already opened the record, and the first `---` arrives before any `+++`
+        // (seenPlus === false), so it does not re-open.
+        if (line.startsWith('--- ')) {
+            if (!current || seenPlus) {
+                const rec = { path: '', status: 'modified', addedLines: new Set() };
+                files.push(rec);
+                current = rec;
+                seenPlus = false;
+                const p = line.slice(4).trim();
+                // Provisional old-path; kept only when there is no `+++` (e.g. a plain deletion) so the record
+                // isn't left pathless. `+++` overrides it for normal adds/modifies.
+                if (p && p !== '/dev/null')
+                    rec.path = p.replace(/^a\//, '');
+            }
             continue;
-        if (line.startsWith('new file mode')) {
-            current.status = 'added';
-        }
-        else if (line.startsWith('deleted file mode')) {
-            current.status = 'deleted';
-        }
-        else if (line.startsWith('rename to ')) {
-            current.path = line.slice('rename to '.length).trim();
-            current.status = 'renamed';
         }
-        else if (line.startsWith('+++ ')) {
+        const rec = current;
+        if (!rec)
+            continue;
+        if (line.startsWith('+++ ')) {
             const p = line.slice(4).trim();
             if (p !== '/dev/null')
-                current.path = p.replace(/^b\//, '');
+                rec.path = p.replace(/^b\//, '');
+            seenPlus = true;
+        }
+        else if (line.startsWith('new file mode')) {
+            rec.status = 'added';
         }
-        else if (line.startsWith('--- ')) {
-            // old-file header; ignore
+        else if (line.startsWith('deleted file mode')) {
+            rec.status = 'deleted';
+        }
+        else if (line.startsWith('rename to ')) {
+            rec.path = line.slice('rename to '.length).trim();
+            rec.status = 'renamed';
         }
         else if (line.startsWith('@@')) {
             const m = line.match(/^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/);
@@ -44,7 +71,7 @@ export function parseUnifiedDiff(diff) {
                 newLine = parseInt(m[1], 10);
         }
         else if (line.startsWith('+') && !line.startsWith('+++')) {
-            current.addedLines.add(newLine);
+            rec.addedLines.add(newLine);
             newLine++;
         }
         else if (line.startsWith('-') && !line.startsWith('---')) {

package/dist/diff/parseUnifiedDiff.js.map

@@ -1 +1 @@
-{"version":3,"file":"parseUnifiedDiff.js","sourceRoot":"","sources":["../../src/diff/parseUnifiedDiff.ts"],"names":[],"mappings":"AAEA;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,IAAI,OAAO,GAAuB,IAAI,CAAC;IACvC,IAAI,OAAO,GAAG,CAAC,CAAC;IAEhB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAClC,OAAO,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,GAAG,EAAU,EAAE,CAAC;YAC1E,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YACtD,IAAI,CAAC;gBAAE,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC3B,SAAS;QACX,CAAC;QACD,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,IAAI,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YACrC,OAAO,CAAC,MAAM,GAAG,OAAO,CAAC;QAC3B,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAChD,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;QAC7B,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACzC,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;YACtD,OAAO,CAAC,MAAM,GAAG,SAAS,CAAC;QAC7B,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACnC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,KAAK,WAAW;gBAAE,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QAC9D,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YACnC,0BAA0B;QAC5B,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC9D,IAAI,CAAC;gBAAE,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtC,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3D,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAChC,OAAO,EAAE,CAAC;QACZ,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3D,sDAAsD;QACxD,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,gCAAgC;QAClC,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,0CAA0C;YAC1C,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
+{"version":3,"file":"parseUnifiedDiff.js","sourceRoot":"","sources":["../../src/diff/parseUnifiedDiff.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,MAAM,KAAK,GAAkB,EAAE,CAAC;IAChC,sGAAsG;IACtG,oGAAoG;IACpG,IAAI,OAAO,GAAuB,IAAI,CAAC;IACvC,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,sGAAsG;IACtG,yEAAyE;IACzE,IAAI,QAAQ,GAAG,KAAK,CAAC;IAErB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;QACpC,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YAClC,MAAM,GAAG,GAAgB,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,GAAG,EAAU,EAAE,CAAC;YACzF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAChB,OAAO,GAAG,GAAG,CAAC;YACd,QAAQ,GAAG,KAAK,CAAC;YACjB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,+BAA+B,CAAC,CAAC;YACtD,IAAI,CAAC;gBAAE,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACvB,SAAS;QACX,CAAC;QACD,oGAAoG;QACpG,qGAAqG;QACrG,gDAAgD;QAChD,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,OAAO,IAAI,QAAQ,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAgB,EAAE,IAAI,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,IAAI,GAAG,EAAU,EAAE,CAAC;gBACzF,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBAChB,OAAO,GAAG,GAAG,CAAC;gBACd,QAAQ,GAAG,KAAK,CAAC;gBACjB,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC/B,+FAA+F;gBAC/F,oEAAoE;gBACpE,IAAI,CAAC,IAAI,CAAC,KAAK,WAAW;oBAAE,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YAC/D,CAAC;YACD,SAAS;QACX,CAAC;QACD,MAAM,GAAG,GAAG,OAAO,CAAC;QACpB,IAAI,CAAC,GAAG;YAAE,SAAS;QAEnB,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5B,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC/B,IAAI,CAAC,KAAK,WAAW;gBAAE,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;YACxD,QAAQ,GAAG,IAAI,CAAC;QAClB,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC,EAAE,CAAC;YAC5C,GAAG,CAAC,MAAM,GAAG,OAAO,CAAC;QACvB,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,mBAAmB,CAAC,EAAE,CAAC;YAChD,GAAG,CAAC,MAAM,GAAG,SAAS,CAAC;QACzB,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;YACzC,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,CAAC;YAClD,GAAG,CAAC,MAAM,GAAG,SAAS,CAAC;QACzB,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,uCAAuC,CAAC,CAAC;YAC9D,IAAI,CAAC;gBAAE,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACtC,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3D,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAC5B,OAAO,EAAE,CAAC;QACZ,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC;YAC3D,sDAAsD;QACxD,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YACjC,gCAAgC;QAClC,CAAC;aAAM,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAChC,0CAA0C;YAC1C,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/index.d.ts

@@ -1,12 +1,13 @@
 import { type DiffSource } from './diff/gitDiff.js';
 import type { Analyzer, AnalyzerContext, Report } from './types.js';
 export type { Analyzer, AnalyzerContext, ChangedFile, Claim, Finding, Report, Verdict } from './types.js';
-export { analyzers, assertionFreeTest, hallucinatedSymbol, claimReconciliation } from './analyzers/index.js';
+export { analyzers, assertionFreeTest, hallucinatedSymbol, riskyDiffNoTest, commentCodeDrift, claimReconciliation } from './analyzers/index.js';
 export { recognizedClaims } from './analyzers/claimReconciliation.js';
 export { parseClaims, type ParseClaimsOptions } from './claims.js';
+export { buildPrompt, extractClaimsFromResponse, renderClaimsBlock, runPropose, PROPOSABLE_CLAIMS, type ProposeProvider, type FetchLike, type RunProposeOptions, type RunProposeResult, } from './propose.js';
 export { parseUnifiedDiff } from './diff/parseUnifiedDiff.js';
 export { getChangedFiles, makeContext, type DiffSource } from './diff/gitDiff.js';
-export { buildReport, exitCode, renderJson, renderMarkdown } from './report/render.js';
+export { buildReport, exitCode, renderJson, renderMarkdown, renderSarif } from './report/render.js';
 export interface RunOptions {
     analyzers?: Analyzer[];
 }

package/dist/index.js

@@ -6,12 +6,13 @@
 import { analyzers as defaultAnalyzers } from './analyzers/index.js';
 import { makeContext } from './diff/gitDiff.js';
 import { buildReport } from './report/render.js';
-export { analyzers, assertionFreeTest, hallucinatedSymbol, claimReconciliation } from './analyzers/index.js';
+export { analyzers, assertionFreeTest, hallucinatedSymbol, riskyDiffNoTest, commentCodeDrift, claimReconciliation } from './analyzers/index.js';
 export { recognizedClaims } from './analyzers/claimReconciliation.js';
 export { parseClaims } from './claims.js';
+export { buildPrompt, extractClaimsFromResponse, renderClaimsBlock, runPropose, PROPOSABLE_CLAIMS, } from './propose.js';
 export { parseUnifiedDiff } from './diff/parseUnifiedDiff.js';
 export { getChangedFiles, makeContext } from './diff/gitDiff.js';
-export { buildReport, exitCode, renderJson, renderMarkdown } from './report/render.js';
+export { buildReport, exitCode, renderJson, renderMarkdown, renderSarif } from './report/render.js';
 /** Run analyzers over an AnalyzerContext and aggregate into a Report. */
 export function runAnalyzers(ctx, opts = {}) {
     const list = opts.analyzers ?? defaultAnalyzers;

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,SAAS,IAAI,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAmB,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAIjD,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAC7G,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,WAAW,EAA2B,MAAM,aAAa,CAAC;AACnE,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,WAAW,EAAmB,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAMvF,yEAAyE;AACzE,MAAM,UAAU,YAAY,CAAC,GAAoB,EAAE,OAAmB,EAAE;IACtE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,IAAI,gBAAgB,CAAC;IAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACjD,OAAO,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;AAC5C,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,WAAW,CAAC,GAAe,EAAE,OAAmB,EAAE;IAChE,OAAO,YAAY,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;AAC9C,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,OAAO,EAAE,SAAS,IAAI,gBAAgB,EAAE,MAAM,sBAAsB,CAAC;AACrE,OAAO,EAAE,WAAW,EAAmB,MAAM,mBAAmB,CAAC;AACjE,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAIjD,OAAO,EAAE,SAAS,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,eAAe,EAAE,gBAAgB,EAAE,mBAAmB,EAAE,MAAM,sBAAsB,CAAC;AAChJ,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AACtE,OAAO,EAAE,WAAW,EAA2B,MAAM,aAAa,CAAC;AACnE,OAAO,EACL,WAAW,EACX,yBAAyB,EACzB,iBAAiB,EACjB,UAAU,EACV,iBAAiB,GAKlB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAE,gBAAgB,EAAE,MAAM,4BAA4B,CAAC;AAC9D,OAAO,EAAE,eAAe,EAAE,WAAW,EAAmB,MAAM,mBAAmB,CAAC;AAClF,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,UAAU,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AAMpG,yEAAyE;AACzE,MAAM,UAAU,YAAY,CAAC,GAAoB,EAAE,OAAmB,EAAE;IACtE,MAAM,IAAI,GAAG,IAAI,CAAC,SAAS,IAAI,gBAAgB,CAAC;IAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACjD,OAAO,WAAW,CAAC,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;AAC5C,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,WAAW,CAAC,GAAe,EAAE,OAAmB,EAAE;IAChE,OAAO,YAAY,CAAC,WAAW,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;AAC9C,CAAC"}

package/dist/paths.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Generated/build-output path detection.
+ *
+ * A bundled artifact (e.g. `action-dist/cli.cjs`) carries the project's own source — including risky
+ * vocab like `token` / `secret` — and isn't hand-written source a reviewer can act on. Flagging it is a
+ * false-ish positive: technically correct, operationally noisy. `riskyDiffNoTest` skips generated paths
+ * so the signal lands on human-authored code.
+ *
+ * This list is a deliberate, conservative default. It is overridable: set `skipGenerated = false` on
+ * the analyzer (via the CLI's `--no-skip-generated` / `TRIBUNAL_NO_SKIP_GENERATED=1`) to disable it
+ * entirely — an opinionated default must never silently suppress a file the user wants checked.
+ *
+ * Scope: advisory, on `riskyDiffNoTest` only. It does NOT affect the verdict path, `exitCode`, or other
+ * analyzers.
+ */
+/** The full default pattern set, exported so a future config file can extend or replace it. */
+export declare const GENERATED_PATH_PATTERNS: readonly string[];
+/**
+ * True if a repo-relative path looks like generated/build output. Normalizes to forward slashes so it
+ * works regardless of platform. A path matches if any segment begins with a generated dir prefix, the
+ * basename ends with a generated suffix, OR it matches an extra pattern (from tribunal.yml config).
+ *
+ * Extra patterns are appended to the built-ins at match time — config can only ADD coverage, never drop
+ * a safety net. An extra pattern is matched as: a dir-prefix (vendor-gen with trailing slash), a suffix
+ * (.gen.ts), or a simple glob with single-segment star and double-star across segments.
+ */
+export declare function isGeneratedPath(path: string, extraPatterns?: readonly string[]): boolean;

package/dist/paths.js

@@ -0,0 +1,112 @@
+/**
+ * Generated/build-output path detection.
+ *
+ * A bundled artifact (e.g. `action-dist/cli.cjs`) carries the project's own source — including risky
+ * vocab like `token` / `secret` — and isn't hand-written source a reviewer can act on. Flagging it is a
+ * false-ish positive: technically correct, operationally noisy. `riskyDiffNoTest` skips generated paths
+ * so the signal lands on human-authored code.
+ *
+ * This list is a deliberate, conservative default. It is overridable: set `skipGenerated = false` on
+ * the analyzer (via the CLI's `--no-skip-generated` / `TRIBUNAL_NO_SKIP_GENERATED=1`) to disable it
+ * entirely — an opinionated default must never silently suppress a file the user wants checked.
+ *
+ * Scope: advisory, on `riskyDiffNoTest` only. It does NOT affect the verdict path, `exitCode`, or other
+ * analyzers.
+ */
+/** Directory prefixes whose contents are treated as generated (trailing slash = path segment match). */
+const GENERATED_DIRS = [
+    'dist/',
+    'action-dist/',
+    'build/',
+    'out/',
+    '.next/',
+    '.output/',
+    '.svelte-kit/',
+    'coverage/',
+    '.turbo/',
+    '.cache/',
+    'node_modules/',
+];
+/** File suffixes treated as generated (minified/bundled output). */
+const GENERATED_SUFFIXES = ['.min.js', '.min.cjs', '.min.mjs', '.bundle.js'];
+/** The full default pattern set, exported so a future config file can extend or replace it. */
+export const GENERATED_PATH_PATTERNS = [...GENERATED_DIRS, ...GENERATED_SUFFIXES];
+/**
+ * True if a repo-relative path looks like generated/build output. Normalizes to forward slashes so it
+ * works regardless of platform. A path matches if any segment begins with a generated dir prefix, the
+ * basename ends with a generated suffix, OR it matches an extra pattern (from tribunal.yml config).
+ *
+ * Extra patterns are appended to the built-ins at match time — config can only ADD coverage, never drop
+ * a safety net. An extra pattern is matched as: a dir-prefix (vendor-gen with trailing slash), a suffix
+ * (.gen.ts), or a simple glob with single-segment star and double-star across segments.
+ */
+export function isGeneratedPath(path, extraPatterns = []) {
+    if (!path)
+        return false;
+    // Normalize backslashes to forward slashes so matching is platform-independent.
+    const norm = path.indexOf('\\') >= 0 ? path.split('\\').join('/') : path;
+    for (const dir of GENERATED_DIRS) {
+        // match `dir` as the first segment (e.g. dist/...) OR any nested segment (e.g. pkg/dist/...)
+        if (norm === dir.slice(0, -1) || norm.startsWith(dir) || norm.includes('/' + dir))
+            return true;
+    }
+    const base = norm.split('/').pop() ?? norm;
+    for (const suffix of GENERATED_SUFFIXES) {
+        if (base.endsWith(suffix))
+            return true;
+    }
+    for (const pat of extraPatterns) {
+        if (matchExtraPattern(norm, pat))
+            return true;
+    }
+    return false;
+}
+/**
+ * Match a config-supplied extra pattern. Supports plain dir-prefix (`vendor-gen/`), plain suffix
+ * (`.gen.ts`), and `*`/`**` globs. Kept deliberately simple — covers the common "this dir/file is
+ * generated" cases without a full glob library.
+ */
+function matchExtraPattern(normPath, pattern) {
+    const p = pattern.trim();
+    if (p === '')
+        return false;
+    // No glob chars: treat as dir-prefix or suffix (same heuristic as the built-ins).
+    if (!/[*?]/.test(p)) {
+        if (p.endsWith('/'))
+            return normPath === p.slice(0, -1) || normPath.startsWith(p) || normPath.includes('/' + p);
+        const base = normPath.split('/').pop() ?? normPath;
+        return base.endsWith(p) || normPath === p;
+    }
+    // Glob: convert to a regex. `**` → match across segments; `*` → within one segment; escape the rest.
+    const re = globToRegex(p);
+    // Match the path itself, or any path under a matched dir (so `**/*.gen.ts` and `vendor-gen/**` both
+    // behave intuitively).
+    return re.test(normPath) || re.test(normPath + '/');
+}
+/** Convert a simple `*`/`**` glob into a RegExp. */
+function globToRegex(glob) {
+    let out = '^';
+    let i = 0;
+    while (i < glob.length) {
+        const c = glob[i];
+        if (glob.startsWith('**', i)) {
+            out += '.*';
+            i += 2;
+        }
+        else if (c === '*') {
+            out += '[^/]*';
+            i += 1;
+        }
+        else if (/[a-zA-Z0-9_]/.test(c)) {
+            out += c;
+            i += 1;
+        }
+        else {
+            // Escape any other punctuation (., /, -, etc.) for regex safety.
+            out += '\\' + c;
+            i += 1;
+        }
+    }
+    return new RegExp(out + '$');
+}
+//# sourceMappingURL=paths.js.map

package/dist/paths.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"paths.js","sourceRoot":"","sources":["../src/paths.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,wGAAwG;AACxG,MAAM,cAAc,GAAG;IACrB,OAAO;IACP,cAAc;IACd,QAAQ;IACR,MAAM;IACN,QAAQ;IACR,UAAU;IACV,cAAc;IACd,WAAW;IACX,SAAS;IACT,SAAS;IACT,eAAe;CAChB,CAAC;AAEF,oEAAoE;AACpE,MAAM,kBAAkB,GAAG,CAAC,SAAS,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;AAE7E,+FAA+F;AAC/F,MAAM,CAAC,MAAM,uBAAuB,GAAsB,CAAC,GAAG,cAAc,EAAE,GAAG,kBAAkB,CAAC,CAAC;AAErG;;;;;;;;GAQG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY,EAAE,gBAAmC,EAAE;IACjF,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,gFAAgF;IAChF,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACzE,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;QACjC,6FAA6F;QAC7F,IAAI,IAAI,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IACjG,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC;IAC3C,KAAK,MAAM,MAAM,IAAI,kBAAkB,EAAE,CAAC;QACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IACzC,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;QAChC,IAAI,iBAAiB,CAAC,IAAI,EAAE,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,QAAgB,EAAE,OAAe;IAC1D,MAAM,CAAC,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;IACzB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAC3B,kFAAkF;IAClF,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACpB,IAAI,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC;YAAE,OAAO,QAAQ,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC;QAChH,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;QACnD,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC;IAC5C,CAAC;IACD,qGAAqG;IACrG,MAAM,EAAE,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC1B,oGAAoG;IACpG,uBAAuB;IACvB,OAAO,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,GAAG,GAAG,CAAC,CAAC;AACtD,CAAC;AAED,oDAAoD;AACpD,SAAS,WAAW,CAAC,IAAY;IAC/B,IAAI,GAAG,GAAG,GAAG,CAAC;IACd,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,IAAI,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC,CAAC,EAAE,CAAC;YAC7B,GAAG,IAAI,IAAI,CAAC;YACZ,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;aAAM,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC;YACrB,GAAG,IAAI,OAAO,CAAC;YACf,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;aAAM,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAClC,GAAG,IAAI,CAAC,CAAC;YACT,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;aAAM,CAAC;YACN,iEAAiE;YACjE,GAAG,IAAI,IAAI,GAAG,CAAC,CAAC;YAChB,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;IACH,CAAC;IACD,OAAO,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,CAAC,CAAC;AAC/B,CAAC"}

package/dist/propose.d.ts

@@ -0,0 +1,103 @@
+/**
+ * `tribunal propose` — an LLM-*proposer* that turns a diff (and optional PR body) into a
+ * ```tribunal claims block of CANDIDATE claims, for the existing deterministic `tribunal check` to
+ * adjudicate.
+ *
+ * ── The Trust-Contract boundary (SPEC §1): a model may PROPOSE a claim to check; a model may never
+ *    ADJUDICATE. This module honors that with two guarantees:
+ *
+ *   1. SEPARATION: nothing here imports or calls `runAnalyzers`, `runTribunal`, `exitCode`, or any
+ *      verifier. `propose` only reads a diff and writes a claims block. The verdict path is untouched.
+ *   2. DEFENSE-IN-DEPTH: even if the model hallucinates a key or is prompt-injected, the *existing*
+ *      `claimReconciliation` verifier map degrades every unrecognized key to 🟡 UNVERIFIED (never 🔴).
+ *      So the worst a malicious LLM can do is emit noise that the deterministic checker labels yellow.
+ *      It cannot flip a build red. We additionally constrain the prompt to the recognized set and
+ *      validate the response, but those are convenience, not the safety boundary — the boundary is
+ *      architectural.
+ *
+ * ── The send-guard: the full diff is source code, and sending it to an external LLM endpoint is an
+ *    outward-facing publish. `propose` refuses to send unless the caller opts in with `allowSendDiff`.
+ *    Without it, the prompt is printed for review and nothing leaves the machine.
+ */
+import type { Claim } from './types.js';
+/** The closed claim vocabulary the model is allowed to propose from, deduped & sorted for the prompt. */
+export declare const PROPOSABLE_CLAIMS: readonly string[];
+/**
+ * Build the { system, user } prompt for the proposer. Pure & deterministic — no I/O. The prompt:
+ *   - tells the model the ONLY keys it may emit (the recognized set),
+ *   - explains that any other output is useless (it degrades to UNVERIFIED in the checker),
+ *   - asks for a JSON object so parsing is robust,
+ *   - includes the full diff (per the chosen design) + any PR body as context.
+ *
+ * Note on the diff in the prompt: prompt-injection from diff content cannot escalate here, because the
+ * model's output is never trusted (see module doc + `validateAndNormalize`). It can at worst produce a
+ * claim key, which is either recognized (and then deterministically verified by `check`) or ignored.
+ */
+export declare function buildPrompt(diff: string, prBody: string | undefined, proposals?: readonly string[]): {
+    system: string;
+    user: string;
+};
+/**
+ * Parse a model response into candidate claims. Pure & fault-tolerant:
+ *   1. Try JSON first (preferred). Accept {"claims": [...]}.
+ *   2. Fall back to scanning for claim-key lines (covers endpoints without JSON mode).
+ * Then VALIDATE every key against the recognized set — unknown keys are dropped, never trusted. This
+ * is defense-in-depth: even a malicious/injected response cannot smuggle through an unrecognized key,
+ * because the *checker* would label it UNVERIFIED anyway, and we drop it here for cleanliness.
+ */
+export declare function extractClaimsFromResponse(text: string, proposals?: readonly string[]): Claim[];
+/**
+ * Render claims as a ```tribunal fenced block. This is the exact format `tribunal check --pr-body`
+ * consumes, so `propose` → `check` is a clean round-trip:
+ *
+ *     tribunal propose --diff pr.diff --allow-send-diff --out claims.md
+ *     tribunal check --diff pr.diff --pr-body claims.md
+ *
+ * The empty case uses a `#` comment (which `parseClaims` ignores) rather than a sentinel word, so an
+ * empty block round-trips to zero claims instead of becoming a bogus claim.
+ */
+export declare function renderClaimsBlock(claims: readonly Claim[]): string;
+/** An OpenAI-compatible chat-completions endpoint, abstracted for testability + provider choice. */
+export interface ProposeProvider {
+    endpoint: string;
+    model: string;
+    apiKey?: string;
+}
+/**
+ * Fetch-like function signature. Matches the global `fetch`. Injected so tests never touch the network
+ * and so the module stays deterministic.
+ */
+export type FetchLike = (url: string, init: {
+    method: string;
+    headers: Record<string, string>;
+    body: string;
+}) => Promise<{
+    ok: boolean;
+    status: number;
+    text: () => Promise<string>;
+}>;
+export interface RunProposeOptions {
+    diff: string;
+    prBody?: string;
+    provider: ProposeProvider;
+    /** The fetch implementation to use (defaults to global fetch). Inject for tests. */
+    fetch?: FetchLike;
+    /** When false (default), the prompt is printed for review and NOTHING is sent. */
+    allowSendDiff?: boolean;
+    /** Sink for human-facing notices (warnings, send confirmations). Defaults to stderr. */
+    notice?: (msg: string) => void;
+}
+export interface RunProposeResult {
+    /** The ```tribunal claims block to feed to `tribunal check`. */
+    block: string;
+    /** The parsed claims (empty if the model proposed nothing valid). */
+    claims: Claim[];
+    /** True if the model was actually called; false if the send-guard withheld the request. */
+    sent: boolean;
+}
+/**
+ * Orchestrate a propose run. With `allowSendDiff` false (the default) this prints the prompt and returns
+ * an empty claims block without contacting any endpoint — review-first. With it true, it calls the
+ * OpenAI-compatible endpoint, parses the response, and renders the claims block.
+ */
+export declare function runPropose(opts: RunProposeOptions): Promise<RunProposeResult>;

package/dist/propose.js

@@ -0,0 +1,175 @@
+/**
+ * `tribunal propose` — an LLM-*proposer* that turns a diff (and optional PR body) into a
+ * ```tribunal claims block of CANDIDATE claims, for the existing deterministic `tribunal check` to
+ * adjudicate.
+ *
+ * ── The Trust-Contract boundary (SPEC §1): a model may PROPOSE a claim to check; a model may never
+ *    ADJUDICATE. This module honors that with two guarantees:
+ *
+ *   1. SEPARATION: nothing here imports or calls `runAnalyzers`, `runTribunal`, `exitCode`, or any
+ *      verifier. `propose` only reads a diff and writes a claims block. The verdict path is untouched.
+ *   2. DEFENSE-IN-DEPTH: even if the model hallucinates a key or is prompt-injected, the *existing*
+ *      `claimReconciliation` verifier map degrades every unrecognized key to 🟡 UNVERIFIED (never 🔴).
+ *      So the worst a malicious LLM can do is emit noise that the deterministic checker labels yellow.
+ *      It cannot flip a build red. We additionally constrain the prompt to the recognized set and
+ *      validate the response, but those are convenience, not the safety boundary — the boundary is
+ *      architectural.
+ *
+ * ── The send-guard: the full diff is source code, and sending it to an external LLM endpoint is an
+ *    outward-facing publish. `propose` refuses to send unless the caller opts in with `allowSendDiff`.
+ *    Without it, the prompt is printed for review and nothing leaves the machine.
+ */
+import { recognizedClaims } from './analyzers/claimReconciliation.js';
+/** The closed claim vocabulary the model is allowed to propose from, deduped & sorted for the prompt. */
+export const PROPOSABLE_CLAIMS = Array.from(new Set(recognizedClaims)).sort();
+/**
+ * Build the { system, user } prompt for the proposer. Pure & deterministic — no I/O. The prompt:
+ *   - tells the model the ONLY keys it may emit (the recognized set),
+ *   - explains that any other output is useless (it degrades to UNVERIFIED in the checker),
+ *   - asks for a JSON object so parsing is robust,
+ *   - includes the full diff (per the chosen design) + any PR body as context.
+ *
+ * Note on the diff in the prompt: prompt-injection from diff content cannot escalate here, because the
+ * model's output is never trusted (see module doc + `validateAndNormalize`). It can at worst produce a
+ * claim key, which is either recognized (and then deterministically verified by `check`) or ignored.
+ */
+export function buildPrompt(diff, prBody, proposals = PROPOSABLE_CLAIMS) {
+    const list = proposals.map((k) => `  - ${k}`).join('\n');
+    const system = [
+        'You are a strict claim-proposer for Tribunal, a deterministic PR-check tool.',
+        'You PROPOSE candidate claims; you NEVER decide whether a claim holds. A separate deterministic',
+        'engine will verify each claim. Your job is only to suggest which claims a reviewer should ask the',
+        'engine to check, based on what the PR appears to do.',
+        '',
+        `You may ONLY propose claim keys from this closed set (emit nothing else):`,
+        list,
+        '',
+        'Rules:',
+        '- Output ONLY a JSON object: {"claims": ["<key>", ...], "rationale": {"<key>": "<short reason>"}}.',
+        '- Use each key at most once. Use the exact spelling from the set above.',
+        '- Propose ONLY claims plausibly relevant to the diff. An empty claims array is a valid answer.',
+        '- Any key not in the set above is useless: it will be ignored by the engine. Do not invent keys.',
+        '- Do not output markdown, fences, commentary, or any text outside the JSON object.',
+    ].join('\n');
+    const userParts = [];
+    if (prBody && prBody.trim()) {
+        userParts.push('--- PR BODY (author description) ---', prBody.trim(), '');
+    }
+    userParts.push('--- DIFF (unified) ---', diff || '(empty diff)');
+    userParts.push('', 'Based on the above, output the JSON object of candidate claims. Remember: propose only from the', 'closed set, and only if plausibly relevant.');
+    const user = userParts.join('\n');
+    return { system, user };
+}
+/**
+ * Parse a model response into candidate claims. Pure & fault-tolerant:
+ *   1. Try JSON first (preferred). Accept {"claims": [...]}.
+ *   2. Fall back to scanning for claim-key lines (covers endpoints without JSON mode).
+ * Then VALIDATE every key against the recognized set — unknown keys are dropped, never trusted. This
+ * is defense-in-depth: even a malicious/injected response cannot smuggle through an unrecognized key,
+ * because the *checker* would label it UNVERIFIED anyway, and we drop it here for cleanliness.
+ */
+export function extractClaimsFromResponse(text, proposals = PROPOSABLE_CLAIMS) {
+    const allowed = new Set(proposals);
+    const keys = [];
+    // 1) JSON object.
+    const jsonMatch = text.match(/\{[\s\S]*\}/);
+    if (jsonMatch) {
+        try {
+            const obj = JSON.parse(jsonMatch[0]);
+            if (Array.isArray(obj.claims)) {
+                for (const c of obj.claims) {
+                    if (typeof c === 'string')
+                        keys.push(c);
+                }
+            }
+        }
+        catch {
+            // fall through to line scan
+        }
+    }
+    // 2) Fallback: tokenize the plain text on any run of chars that aren't [a-z0-9-], then keep only
+    //    tokens that are exactly a recognized key. This handles endpoints without JSON mode that emit
+    //    plain text like "added-test\nno-public-api-change". Only triggers if JSON parsing yielded
+    //    nothing. Keys contain hyphens, so we tokenize on `[^a-z0-9-]+` (not whitespace→hyphen, which
+    //    would merge keys into their neighbors and never match).
+    if (keys.length === 0) {
+        const tokenSet = new Set(text.toLowerCase().split(/[^a-z0-9-]+/).filter(Boolean));
+        for (const k of proposals) {
+            if (tokenSet.has(k))
+                keys.push(k);
+        }
+    }
+    // Validate + dedupe, preserving first-seen order.
+    const seen = new Set();
+    const claims = [];
+    for (const raw of keys) {
+        const key = raw.trim().toLowerCase().replace(/[_\s]+/g, '-');
+        if (!allowed.has(key) || seen.has(key))
+            continue;
+        seen.add(key);
+        claims.push({ key, arg: undefined, raw: key });
+    }
+    return claims;
+}
+/**
+ * Render claims as a ```tribunal fenced block. This is the exact format `tribunal check --pr-body`
+ * consumes, so `propose` → `check` is a clean round-trip:
+ *
+ *     tribunal propose --diff pr.diff --allow-send-diff --out claims.md
+ *     tribunal check --diff pr.diff --pr-body claims.md
+ *
+ * The empty case uses a `#` comment (which `parseClaims` ignores) rather than a sentinel word, so an
+ * empty block round-trips to zero claims instead of becoming a bogus claim.
+ */
+export function renderClaimsBlock(claims) {
+    if (claims.length === 0) {
+        return '```tribunal\n# (no claims proposed)\n```';
+    }
+    return '```tribunal\n' + claims.map((c) => c.key).join('\n') + '\n```';
+}
+/**
+ * Orchestrate a propose run. With `allowSendDiff` false (the default) this prints the prompt and returns
+ * an empty claims block without contacting any endpoint — review-first. With it true, it calls the
+ * OpenAI-compatible endpoint, parses the response, and renders the claims block.
+ */
+export async function runPropose(opts) {
+    const notice = opts.notice ?? ((m) => process.stderr.write(`${m}\n`));
+    const { system, user } = buildPrompt(opts.diff, opts.prBody);
+    if (!opts.allowSendDiff) {
+        const lineCount = opts.diff ? opts.diff.split('\n').length : 0;
+        const byteCount = Buffer.byteLength(`${system}\n\n${user}`, 'utf8');
+        notice(`propose: send-guard active — NOT sending. Would send ${lineCount} diff lines / ${byteCount} bytes ` +
+            `to ${opts.provider.endpoint} (${opts.provider.model}).`);
+        notice('propose: review the prompt above; rerun with --allow-send-diff to actually send.');
+        // Print the full prompt to stdout for review (before the empty block).
+        process.stdout.write(`${system}\n\n${user}\n`);
+        return { block: renderClaimsBlock([]), claims: [], sent: false };
+    }
+    notice(`propose: sending diff to ${opts.provider.endpoint} (model: ${opts.provider.model}).`);
+    const fetchFn = opts.fetch ?? globalThis.fetch;
+    const res = await fetchFn(`${opts.provider.endpoint.replace(/\/$/, '')}/chat/completions`, {
+        method: 'POST',
+        headers: {
+            'content-type': 'application/json',
+            ...(opts.provider.apiKey ? { authorization: `Bearer ${opts.provider.apiKey}` } : {}),
+        },
+        body: JSON.stringify({
+            model: opts.provider.model,
+            messages: [
+                { role: 'system', content: system },
+                { role: 'user', content: user },
+            ],
+            temperature: 0,
+            response_format: { type: 'json_object' },
+        }),
+    });
+    if (!res.ok) {
+        const body = await res.text().catch(() => '<no body>');
+        throw new Error(`propose: provider returned HTTP ${res.status}: ${body.slice(0, 500)}`);
+    }
+    const data = JSON.parse(await res.text());
+    const content = data.choices?.[0]?.message?.content ?? '';
+    const claims = extractClaimsFromResponse(content);
+    return { block: renderClaimsBlock(claims), claims, sent: true };
+}
+//# sourceMappingURL=propose.js.map

package/dist/propose.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"propose.js","sourceRoot":"","sources":["../src/propose.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,oCAAoC,CAAC;AAEtE,yGAAyG;AACzG,MAAM,CAAC,MAAM,iBAAiB,GAAsB,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAEjG;;;;;;;;;;GAUG;AACH,MAAM,UAAU,WAAW,CACzB,IAAY,EACZ,MAA0B,EAC1B,YAA+B,iBAAiB;IAEhD,MAAM,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG;QACb,8EAA8E;QAC9E,gGAAgG;QAChG,mGAAmG;QACnG,sDAAsD;QACtD,EAAE;QACF,2EAA2E;QAC3E,IAAI;QACJ,EAAE;QACF,QAAQ;QACR,oGAAoG;QACpG,yEAAyE;QACzE,gGAAgG;QAChG,kGAAkG;QAClG,oFAAoF;KACrF,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEb,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;QAC5B,SAAS,CAAC,IAAI,CAAC,sCAAsC,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;IAC5E,CAAC;IACD,SAAS,CAAC,IAAI,CAAC,wBAAwB,EAAE,IAAI,IAAI,cAAc,CAAC,CAAC;IACjE,SAAS,CAAC,IAAI,CACZ,EAAE,EACF,iGAAiG,EACjG,6CAA6C,CAC9C,CAAC;IACF,MAAM,IAAI,GAAG,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAClC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;AAC1B,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,yBAAyB,CACvC,IAAY,EACZ,YAA+B,iBAAiB;IAEhD,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IACnC,MAAM,IAAI,GAAa,EAAE,CAAC;IAE1B,kBAAkB;IAClB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAC5C,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAyB,CAAC;YAC7D,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC9B,KAAK,MAAM,CAAC,IAAI,GAAG,CAAC,MAAM,EAAE,CAAC;oBAC3B,IAAI,OAAO,CAAC,KAAK,QAAQ;wBAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAC1C,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,4BAA4B;QAC9B,CAAC;IACH,CAAC;IAED,iGAAiG;IACjG,kGAAkG;IAClG,+FAA+F;IAC/F,kGAAkG;IAClG,6DAA6D;IAC7D,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;QAClF,KAAK,MAAM,CAAC,IAAI,SAAS,EAAE,CAAC;YAC1B,IAAI,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;gBAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACpC,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,MAAM,MAAM,GAAY,EAAE,CAAC;IAC3B,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC;QAC7D,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,SAAS;QACjD,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACd,MAAM,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAwB;IACxD,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,0CAA0C,CAAC;IACpD,CAAC;IACD,OAAO,eAAe,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC;AACzE,CAAC;AA2CD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,IAAuB;IACtD,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,IAAI,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC;IAC9E,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,WAAW,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;IAE7D,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;QACxB,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/D,MAAM,SAAS,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,MAAM,OAAO,IAAI,EAAE,EAAE,MAAM,CAAC,CAAC;QACpE,MAAM,CACJ,wDAAwD,SAAS,iBAAiB,SAAS,SAAS;YAClG,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,CAC3D,CAAC;QACF,MAAM,CAAC,kFAAkF,CAAC,CAAC;QAC3F,uEAAuE;QACvE,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,OAAO,IAAI,IAAI,CAAC,CAAC;QAC/C,OAAO,EAAE,KAAK,EAAE,iBAAiB,CAAC,EAAE,CAAC,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC;IACnE,CAAC;IAED,MAAM,CAAC,4BAA4B,IAAI,CAAC,QAAQ,CAAC,QAAQ,YAAY,IAAI,CAAC,QAAQ,CAAC,KAAK,IAAI,CAAC,CAAC;IAC9F,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,IAAK,UAAU,CAAC,KAA8B,CAAC;IACzE,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,mBAAmB,EAAE;QACzF,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,UAAU,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACrF;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACnB,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK;YAC1B,QAAQ,EAAE;gBACR,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE;gBACnC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE;aAChC;YACD,WAAW,EAAE,CAAC;YACd,eAAe,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE;SACzC,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,WAAW,CAAC,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,mCAAmC,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;IAC1F,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAEvC,CAAC;IACF,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;IAC1D,MAAM,MAAM,GAAG,yBAAyB,CAAC,OAAO,CAAC,CAAC;IAClD,OAAO,EAAE,KAAK,EAAE,iBAAiB,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;AAClE,CAAC"}

package/dist/report/render.d.ts

@@ -8,3 +8,8 @@ export declare function exitCode(report: Report, hardFail: boolean): number;
 export declare function renderJson(report: Report): string;
 /** Markdown intended for a PR comment: blocking findings first, PASS collapsed to a count. */
 export declare function renderMarkdown(report: Report, hardFail: boolean): string;
+/**
+ * Render the report as a SARIF Log v2.1.0 JSON string. Each analyzer becomes a `rule`; each
+ * CONTRADICTED/UNVERIFIED finding becomes a `result` (PASS findings are omitted).
+ */
+export declare function renderSarif(report: Report): string;