@gitgov/core 1.10.1 → 1.11.0

package/dist/src/index.js

@@ -3,16 +3,18 @@ import addFormats from 'ajv-formats';
 import * as fs7 from 'fs';
 import { promises, existsSync, constants, readFileSync, writeFileSync } from 'fs';
 import * as yaml from 'js-yaml';
-import { generateKeyPair, createHash, sign, verify } from 'crypto';
+import { generateKeyPair, randomUUID, createHash, sign, verify } from 'crypto';
 import { promisify } from 'util';
 import * as path6 from 'path';
 import path6__default, { join, basename, dirname } from 'path';
 import { createRequire } from 'module';
 import { fileURLToPath } from 'url';
+import * as fs11 from 'fs/promises';
 import { readdir } from 'fs/promises';
-import { exec } from 'child_process';
+import { exec, execSync } from 'child_process';
 import os from 'os';
 import { EventEmitter } from 'events';
+import fg from 'fast-glob';
 
 var __defProp = Object.defineProperty;
 var __export = (target, all) => {
@@ -3305,6 +3307,37 @@ var ConfigManager = class _ConfigManager {
     }
     await promises.writeFile(this.sessionPath, JSON.stringify(session, null, 2), "utf-8");
   }
+  /**
+   * Get audit state from config.json
+   * Returns last full audit commit and timestamp for incremental mode
+   */
+  async getAuditState() {
+    const config = await this.loadConfig();
+    return {
+      lastFullAuditCommit: config?.state?.audit?.lastFullAuditCommit || null,
+      lastFullAuditTimestamp: config?.state?.audit?.lastFullAuditTimestamp || null,
+      lastFullAuditFindingsCount: config?.state?.audit?.lastFullAuditFindingsCount ?? null
+    };
+  }
+  /**
+   * Update audit state in config.json after a full audit
+   * This is used to enable incremental audits
+   */
+  async updateAuditState(auditState) {
+    const config = await this.loadConfig();
+    if (!config) {
+      throw new Error("Cannot update audit state: config.json not found");
+    }
+    if (!config.state) {
+      config.state = {};
+    }
+    config.state.audit = {
+      lastFullAuditCommit: auditState.lastFullAuditCommit,
+      lastFullAuditTimestamp: auditState.lastFullAuditTimestamp,
+      lastFullAuditFindingsCount: auditState.lastFullAuditFindingsCount
+    };
+    await promises.writeFile(this.configPath, JSON.stringify(config, null, 2), "utf-8");
+  }
   /**
    * Finds the project root by searching upwards for a .git directory.
    * Caches the result for subsequent calls.
@@ -7510,8 +7543,8 @@ var ProjectAdapter = class {
   /**
    * [EARS-2] Validates environment for GitGovernance initialization
    */
-  async validateEnvironment(path8) {
-    const targetPath = path8 || process.env["GITGOV_ORIGINAL_DIR"] || process.cwd();
+  async validateEnvironment(path10) {
+    const targetPath = path10 || process.env["GITGOV_ORIGINAL_DIR"] || process.cwd();
     const warnings = [];
     const suggestions = [];
     try {
@@ -9924,22 +9957,22 @@ var LintModule = class {
       );
     }
     this.fileSystem = dependencies.fileSystem ?? {
-      readFile: async (path8, encoding) => {
-        return promises.readFile(path8, encoding);
+      readFile: async (path10, encoding) => {
+        return promises.readFile(path10, encoding);
       },
-      writeFile: async (path8, content) => {
-        await promises.writeFile(path8, content, "utf-8");
+      writeFile: async (path10, content) => {
+        await promises.writeFile(path10, content, "utf-8");
       },
-      exists: async (path8) => {
+      exists: async (path10) => {
         try {
-          await promises.access(path8);
+          await promises.access(path10);
           return true;
         } catch {
           return false;
         }
       },
-      unlink: async (path8) => {
-        await promises.unlink(path8);
+      unlink: async (path10) => {
+        await promises.unlink(path10);
       }
     };
   }
@@ -10447,8 +10480,8 @@ var LintModule = class {
    * This ensures we know the correct type for each record based on its directory.
    * @private
    */
-  async discoverAllRecordsWithTypes(path8) {
-    const projectRoot2 = ConfigManager.findProjectRoot() || path8 || ".gitgov/";
+  async discoverAllRecordsWithTypes(path10) {
+    const projectRoot2 = ConfigManager.findProjectRoot() || path10 || ".gitgov/";
     const recordTypes = [
       "actor",
       "agent",
@@ -14020,10 +14053,10 @@ var RelationshipAnalyzer = class {
     }
     const visited = /* @__PURE__ */ new Set();
     const recursionStack = /* @__PURE__ */ new Set();
-    const path8 = [];
+    const path10 = [];
     for (const node of graph.keys()) {
       if (!visited.has(node)) {
-        const cyclePath = this.findCycleDFS(node, graph, visited, recursionStack, path8);
+        const cyclePath = this.findCycleDFS(node, graph, visited, recursionStack, path10);
         if (cyclePath.length > 0) {
           const cycleDescription = this.formatCycleError(cyclePath);
           throw new CircularDependencyError(cycleDescription);
@@ -14034,24 +14067,24 @@ var RelationshipAnalyzer = class {
   /**
    * DFS helper for circular dependency detection with path tracking
    */
-  findCycleDFS(node, graph, visited, recursionStack, path8) {
+  findCycleDFS(node, graph, visited, recursionStack, path10) {
     visited.add(node);
     recursionStack.add(node);
-    path8.push(node);
+    path10.push(node);
     const neighbors = graph.get(node) || [];
     for (const neighbor of neighbors) {
       if (!visited.has(neighbor)) {
-        const cyclePath = this.findCycleDFS(neighbor, graph, visited, recursionStack, path8);
+        const cyclePath = this.findCycleDFS(neighbor, graph, visited, recursionStack, path10);
         if (cyclePath.length > 0) {
           return cyclePath;
         }
       } else if (recursionStack.has(neighbor)) {
-        const cycleStartIndex = path8.indexOf(neighbor);
-        return path8.slice(cycleStartIndex).concat([neighbor]);
+        const cycleStartIndex = path10.indexOf(neighbor);
+        return path10.slice(cycleStartIndex).concat([neighbor]);
       }
     }
     recursionStack.delete(node);
-    path8.pop();
+    path10.pop();
     return [];
   }
   /**
@@ -14759,6 +14792,832 @@ var DiagramGenerator = class {
   }
 };
 
-export { adapters_exports as Adapters, backlog_adapter_exports as BacklogAdapter, changelog_adapter_exports as ChangelogAdapter, config_manager_exports as Config, crypto_exports as Crypto, diagram_generator_exports as DiagramGenerator, event_bus_exports as EventBus, execution_adapter_exports as ExecutionAdapter, factories_exports as Factories, feedback_adapter_exports as FeedbackAdapter, git_exports as Git, identity_adapter_exports as IdentityAdapter, indexer_adapter_exports as IndexerAdapter, lint_exports as Lint, logger_exports as Logger, metrics_adapter_exports as MetricsAdapter, project_adapter_exports as ProjectAdapter, types_exports as Records, schemas_exports as Schemas, store_exports as Store, sync_exports as Sync, validation_exports as Validation, workflow_methodology_adapter_exports as WorkflowMethodologyAdapter };
+// src/pii_detector/index.ts
+var pii_detector_exports = {};
+__export(pii_detector_exports, {
+  HeuristicDetector: () => HeuristicDetector,
+  HttpLlmDetector: () => HttpLlmDetector,
+  PiiDetectorModule: () => PiiDetectorModule,
+  REGEX_RULES: () => REGEX_RULES,
+  RegexDetector: () => RegexDetector
+});
+
+// src/pii_detector/rules/regex_rules.ts
+var REGEX_RULES = [
+  // === PII ===
+  {
+    id: "PII-001",
+    pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    category: "pii-email",
+    severity: "high",
+    message: "Email address detected in source code",
+    suggestion: "Move to configuration or environment variable",
+    legalReference: "GDPR Art. 4(1)"
+  },
+  {
+    id: "PII-002",
+    pattern: /(\+?\d{1,3}[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g,
+    category: "pii-phone",
+    severity: "medium",
+    message: "Phone number pattern detected",
+    suggestion: "Avoid hardcoding personal phone numbers"
+  },
+  {
+    id: "PII-003",
+    pattern: /\b(?:\d{4}[-\s]?){3}\d{4}\b/g,
+    category: "pii-financial",
+    severity: "critical",
+    message: "Potential credit card number detected",
+    suggestion: "Never store credit card numbers in source code",
+    legalReference: "PCI-DSS, GDPR Art. 32"
+  },
+  {
+    id: "PII-004",
+    pattern: /\b\d{3}-\d{2}-\d{4}\b/g,
+    category: "pii-generic",
+    severity: "critical",
+    message: "US Social Security Number pattern detected",
+    suggestion: "SSNs must never be stored in source code"
+  },
+  {
+    id: "PII-005",
+    pattern: /\b(ssn|dni|document_number|iban)\b/gi,
+    category: "pii-generic",
+    severity: "medium",
+    message: "Sensitive field name detected",
+    suggestion: "Review if real data or structure requiring encryption"
+  },
+  // === SECRETS ===
+  {
+    id: "SEC-001",
+    pattern: /(?:api[_-]?key|apikey|secret[_-]?key)\s*[:=]\s*['"][^'"]{20,}['"]/gi,
+    category: "hardcoded-secret",
+    severity: "critical",
+    message: "Hardcoded API key detected",
+    suggestion: "Use environment variables or secret management"
+  },
+  {
+    id: "SEC-002",
+    pattern: /AKIA[0-9A-Z]{16}/g,
+    category: "hardcoded-secret",
+    severity: "critical",
+    message: "AWS Access Key ID detected",
+    suggestion: "Rotate this key immediately and use IAM roles"
+  },
+  {
+    id: "SEC-003",
+    pattern: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/g,
+    category: "hardcoded-secret",
+    severity: "critical",
+    message: "Private key detected in source code",
+    suggestion: "Never commit private keys. Use secret management."
+  },
+  // === LOGGING PII ===
+  {
+    id: "LOG-001",
+    pattern: /console\.(log|info|warn|error)\s*\([^)]*(?:email|password|ssn|phone|credit)/gi,
+    category: "logging-pii",
+    severity: "high",
+    message: "Potential PII being logged",
+    suggestion: "Sanitize logs to remove personal data",
+    legalReference: "GDPR Art. 5(1)(f)"
+  }
+];
+
+// src/pii_detector/detectors/regex_detector.ts
+var MAX_SNIPPET_LENGTH = 300;
+function generateFingerprint(ruleId, file, line) {
+  return createHash("sha256").update(`${ruleId}:${file}:${line}`).digest("hex");
+}
+function truncateSnippet(snippet) {
+  if (snippet.length <= MAX_SNIPPET_LENGTH) {
+    return snippet;
+  }
+  return snippet.slice(0, MAX_SNIPPET_LENGTH - 3) + "...";
+}
+function getLineNumber(content, index) {
+  return content.slice(0, index).split("\n").length;
+}
+function extractSnippet(content, matchIndex) {
+  const lines = content.split("\n");
+  const lineNumber = getLineNumber(content, matchIndex);
+  const line = lines[lineNumber - 1] || "";
+  return truncateSnippet(line.trim());
+}
+var RegexDetector = class {
+  name = "regex";
+  rules;
+  constructor(ruleIds) {
+    if (ruleIds && ruleIds.length > 0) {
+      this.rules = REGEX_RULES.filter((r) => ruleIds.includes(r.id));
+    } else {
+      this.rules = REGEX_RULES;
+    }
+  }
+  async detect(content, filePath) {
+    const findings = [];
+    for (const rule of this.rules) {
+      const pattern = new RegExp(rule.pattern.source, rule.pattern.flags);
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const line = getLineNumber(content, match.index);
+        const snippet = extractSnippet(content, match.index);
+        const finding = {
+          id: randomUUID(),
+          ruleId: rule.id,
+          category: rule.category,
+          severity: rule.severity,
+          file: filePath,
+          line,
+          snippet,
+          message: rule.message,
+          detector: this.name,
+          fingerprint: generateFingerprint(rule.id, filePath, line),
+          confidence: 1
+        };
+        if (rule.suggestion) finding.suggestion = rule.suggestion;
+        if (rule.legalReference) finding.legalReference = rule.legalReference;
+        findings.push(finding);
+      }
+    }
+    return findings;
+  }
+};
+var MAX_SNIPPET_LENGTH2 = 300;
+var SENSITIVE_VAR_PATTERN = /\b(user|customer|client|employee|patient)(_)?(email|phone|ssn|address|creditcard|password)\b/gi;
+var LOGGING_PATTERN = /console\.(log|info|debug|warn)\s*\([^)]*\b(user|customer|request\.body|formData)\b/gi;
+var SERIALIZE_PATTERN = /JSON\.stringify\s*\([^)]*\b(user|customer|profile|account)\b/gi;
+var HEURISTIC_RULES = [
+  {
+    id: "HEUR-001",
+    pattern: SENSITIVE_VAR_PATTERN,
+    category: "pii-generic",
+    severity: "medium",
+    confidence: 0.7,
+    message: "Sensitive variable name detected",
+    suggestion: "Consider if this variable contains actual PII"
+  },
+  {
+    id: "HEUR-002",
+    pattern: LOGGING_PATTERN,
+    category: "logging-pii",
+    severity: "medium",
+    confidence: 0.6,
+    message: "Logging of potentially sensitive object detected",
+    suggestion: "Sanitize logged objects to remove PII"
+  },
+  {
+    id: "HEUR-003",
+    pattern: SERIALIZE_PATTERN,
+    category: "third-party-transfer",
+    severity: "low",
+    confidence: 0.5,
+    message: "JSON serialization of potentially sensitive object",
+    suggestion: "Ensure sensitive fields are excluded before serialization"
+  }
+];
+function generateFingerprint2(ruleId, file, line) {
+  return createHash("sha256").update(`${ruleId}:${file}:${line}`).digest("hex");
+}
+function truncateSnippet2(snippet) {
+  if (snippet.length <= MAX_SNIPPET_LENGTH2) {
+    return snippet;
+  }
+  return snippet.slice(0, MAX_SNIPPET_LENGTH2 - 3) + "...";
+}
+function getLineNumber2(content, index) {
+  return content.slice(0, index).split("\n").length;
+}
+function extractSnippet2(content, matchIndex) {
+  const lines = content.split("\n");
+  const lineNumber = getLineNumber2(content, matchIndex);
+  const line = lines[lineNumber - 1] || "";
+  return truncateSnippet2(line.trim());
+}
+var HeuristicDetector = class {
+  name = "heuristic";
+  async detect(content, filePath) {
+    const findings = [];
+    for (const rule of HEURISTIC_RULES) {
+      const pattern = new RegExp(rule.pattern.source, rule.pattern.flags);
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const line = getLineNumber2(content, match.index);
+        const snippet = extractSnippet2(content, match.index);
+        const finding = {
+          id: randomUUID(),
+          ruleId: rule.id,
+          category: rule.category,
+          severity: rule.severity,
+          file: filePath,
+          line,
+          snippet,
+          message: rule.message,
+          detector: this.name,
+          fingerprint: generateFingerprint2(rule.id, filePath, line),
+          confidence: rule.confidence
+        };
+        if (rule.suggestion) finding.suggestion = rule.suggestion;
+        findings.push(finding);
+      }
+    }
+    return findings;
+  }
+};
+var MAX_SNIPPET_LENGTH3 = 300;
+function generateFingerprint3(ruleId, file, line) {
+  return createHash("sha256").update(`${ruleId}:${file}:${line}`).digest("hex");
+}
+function truncateSnippet3(snippet) {
+  if (snippet.length <= MAX_SNIPPET_LENGTH3) {
+    return snippet;
+  }
+  return snippet.slice(0, MAX_SNIPPET_LENGTH3 - 3) + "...";
+}
+function isValidCategory(category) {
+  const validCategories = [
+    "pii-email",
+    "pii-phone",
+    "pii-financial",
+    "pii-health",
+    "pii-generic",
+    "hardcoded-secret",
+    "logging-pii",
+    "tracking-cookie",
+    "tracking-analytics-id",
+    "unencrypted-storage",
+    "third-party-transfer",
+    "unknown-risk"
+  ];
+  return validCategories.includes(category);
+}
+var HttpLlmDetector = class {
+  endpoint;
+  apiKey;
+  constructor(endpoint, apiKey) {
+    this.endpoint = endpoint;
+    this.apiKey = apiKey;
+  }
+  /**
+   * Analyzes code snippets with LLM for semantic PII detection.
+   * Implements EARS-18: Send candidates to LLM when quota available
+   * Implements EARS-19: Normalize LLM response to GdprFinding format
+   */
+  async analyzeSnippets(snippets) {
+    if (snippets.length === 0) {
+      return [];
+    }
+    const response = await fetch(this.endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.apiKey}`
+      },
+      body: JSON.stringify({ snippets })
+    });
+    if (!response.ok) {
+      throw new Error(`LLM API error: ${response.status} ${response.statusText}`);
+    }
+    const data = await response.json();
+    return this.normalizeFindings(data.findings);
+  }
+  /**
+   * Normalizes raw LLM findings to GdprFinding format.
+   */
+  normalizeFindings(rawFindings) {
+    return rawFindings.map((raw) => {
+      const category = isValidCategory(raw.category) ? raw.category : "unknown-risk";
+      const finding = {
+        id: randomUUID(),
+        ruleId: raw.ruleId ?? "LLM-001",
+        category,
+        severity: raw.severity,
+        file: raw.file,
+        line: raw.line,
+        snippet: truncateSnippet3(raw.snippet ?? ""),
+        message: raw.message,
+        detector: "llm",
+        fingerprint: generateFingerprint3(
+          raw.ruleId ?? "LLM-001",
+          raw.file,
+          raw.line
+        ),
+        confidence: raw.confidence ?? 0.9
+      };
+      if (raw.suggestion) finding.suggestion = raw.suggestion;
+      if (raw.legalReference) finding.legalReference = raw.legalReference;
+      return finding;
+    });
+  }
+};
+
+// src/pii_detector/pii_detector.ts
+var PiiDetectorModule = class {
+  localDetectors = [];
+  llmDetector;
+  llmConfig;
+  /**
+   * Constructs the module with graceful degradation.
+   * Without config -> only RegexDetector (Free tier).
+   */
+  constructor(config) {
+    if (config?.regex?.enabled === false) ; else {
+      this.localDetectors.push(new RegexDetector(config?.regex?.rules));
+    }
+    if (config?.heuristic?.enabled) {
+      this.localDetectors.push(new HeuristicDetector());
+    }
+    if (config?.llm?.enabled && config.llm.endpoint) {
+      this.llmConfig = config.llm;
+      const apiKey = process.env["GITGOV_LLM_API_KEY"];
+      if (apiKey) {
+        this.llmDetector = new HttpLlmDetector(config.llm.endpoint, apiKey);
+      }
+    }
+  }
+  /**
+   * Detects PII and secrets in file content.
+   *
+   * Flow:
+   * 1. Run all enabled local detectors (Phase 1)
+   * 2. Extract candidates with confidence < 0.8
+   * 3. If LLM enabled and quota OK, analyze candidates (Phase 2)
+   * 4. Merge and deduplicate by fingerprint
+   */
+  async detect(content, filePath) {
+    const localFindings = await this.runLocalDetectors(content, filePath);
+    let llmFindings = [];
+    if (this.llmDetector && this.checkQuota()) {
+      const candidates = this.extractCandidates(localFindings, content, filePath);
+      if (candidates.length > 0) {
+        try {
+          llmFindings = await this.llmDetector.analyzeSnippets(candidates);
+          this.decrementQuota(candidates.length);
+        } catch {
+        }
+      }
+    }
+    return this.deduplicateByFingerprint([...localFindings, ...llmFindings]);
+  }
+  /**
+   * Runs all local detectors and collects findings.
+   */
+  async runLocalDetectors(content, filePath) {
+    const results = await Promise.all(
+      this.localDetectors.map((d) => d.detect(content, filePath))
+    );
+    return results.flat();
+  }
+  /**
+   * Extracts CodeSnippets from low-confidence findings for LLM analysis.
+   * Includes 2 lines of context before and after.
+   * Implements EARS-15: Extract candidates with confidence < 0.8
+   */
+  extractCandidates(findings, content, filePath) {
+    const lines = content.split("\n");
+    const lang = this.detectLanguage(filePath);
+    return findings.filter((f) => f.confidence < 0.8).map((f) => ({
+      file: filePath,
+      lineStart: Math.max(1, f.line - 2),
+      lineEnd: Math.min(lines.length, f.line + 2),
+      language: lang,
+      content: lines.slice(Math.max(0, f.line - 3), f.line + 2).join("\n"),
+      heuristicTags: [f.category, f.detector]
+    }));
+  }
+  /**
+   * Checks if LLM quota is available.
+   * Implements EARS-20: Reject when trial expired
+   * Implements EARS-21: Reject when remainingUses is zero
+   */
+  checkQuota() {
+    if (!this.llmConfig) return false;
+    if (this.llmConfig.quotaType === "unlimited") return true;
+    if (this.llmConfig.quotaType === "trial") {
+      if (this.llmConfig.expiresAt) {
+        const expired = new Date(this.llmConfig.expiresAt) < /* @__PURE__ */ new Date();
+        if (expired) return false;
+      }
+    }
+    return (this.llmConfig.remainingUses ?? 0) > 0;
+  }
+  /**
+   * Decrements quota after successful LLM call.
+   * Implements EARS-22: Decrement remainingUses after successful call
+   */
+  decrementQuota(count) {
+    if (this.llmConfig?.remainingUses !== void 0) {
+      this.llmConfig.remainingUses = Math.max(
+        0,
+        this.llmConfig.remainingUses - count
+      );
+    }
+  }
+  /**
+   * Deduplicates findings by SHA256 fingerprint.
+   */
+  deduplicateByFingerprint(findings) {
+    const seen = /* @__PURE__ */ new Set();
+    return findings.filter((f) => {
+      if (seen.has(f.fingerprint)) return false;
+      seen.add(f.fingerprint);
+      return true;
+    });
+  }
+  /**
+   * Detects programming language based on file extension.
+   */
+  detectLanguage(filePath) {
+    const ext = filePath.split(".").pop()?.toLowerCase();
+    const map = {
+      ts: "typescript",
+      tsx: "typescript",
+      js: "javascript",
+      jsx: "javascript",
+      py: "python",
+      go: "go",
+      java: "java",
+      rs: "rust",
+      rb: "ruby"
+    };
+    return map[ext ?? ""] ?? "unknown";
+  }
+};
+
+// src/source_auditor/index.ts
+var source_auditor_exports = {};
+__export(source_auditor_exports, {
+  ScopeSelector: () => ScopeSelector,
+  ScoringEngine: () => ScoringEngine,
+  SourceAuditorModule: () => SourceAuditorModule,
+  WaiverReader: () => WaiverReader,
+  WaiverWriter: () => WaiverWriter
+});
+var ScopeSelector = class {
+  /**
+   * Selects files matching include patterns, excluding those matching exclude patterns.
+   * Automatically respects .gitignore patterns from the project root.
+   * If scope.changedSince is set, only returns files changed since that commit.
+   * @param scope - Include and exclude glob patterns, optional changedSince commit
+   * @param baseDir - Base directory for file search
+   * @returns Array of file paths relative to baseDir
+   */
+  async selectFiles(scope, baseDir) {
+    if (scope.include.length === 0) {
+      return [];
+    }
+    const gitignorePatterns = await this.loadGitignorePatterns(baseDir);
+    const allExcludes = [...gitignorePatterns, ...scope.exclude];
+    if (scope.changedSince) {
+      return this.selectChangedFiles(scope.changedSince, allExcludes, baseDir);
+    }
+    const files = await fg(scope.include, {
+      cwd: baseDir,
+      ignore: allExcludes,
+      onlyFiles: true,
+      absolute: false
+    });
+    return files.sort();
+  }
+  /**
+   * Selects files changed since a specific commit (incremental mode).
+   * Includes: git diff, modified files, untracked files.
+   */
+  async selectChangedFiles(sinceCommit, excludes, baseDir) {
+    const changedFiles = /* @__PURE__ */ new Set();
+    try {
+      const diffOutput = execSync(
+        `git diff --name-only ${sinceCommit}..HEAD`,
+        { cwd: baseDir, encoding: "utf-8" }
+      );
+      diffOutput.split("\n").filter(Boolean).forEach((f) => changedFiles.add(f));
+      const statusOutput = execSync(
+        `git status --porcelain`,
+        { cwd: baseDir, encoding: "utf-8" }
+      );
+      statusOutput.split("\n").filter(Boolean).forEach((line) => {
+        const file = line.slice(3).trim();
+        if (file) changedFiles.add(file);
+      });
+      const untrackedOutput = execSync(
+        `git ls-files --others --exclude-standard`,
+        { cwd: baseDir, encoding: "utf-8" }
+      );
+      untrackedOutput.split("\n").filter(Boolean).forEach((f) => changedFiles.add(f));
+    } catch {
+      return [];
+    }
+    const allFiles = Array.from(changedFiles);
+    if (allFiles.length === 0) {
+      return [];
+    }
+    const filtered = await fg(allFiles, {
+      cwd: baseDir,
+      ignore: excludes,
+      onlyFiles: true,
+      absolute: false
+    });
+    return filtered.sort();
+  }
+  /**
+   * Reads .gitignore and converts patterns to glob format.
+   * Returns empty array if .gitignore doesn't exist.
+   */
+  async loadGitignorePatterns(baseDir) {
+    const gitignorePath = path6.join(baseDir, ".gitignore");
+    try {
+      const content = await fs11.readFile(gitignorePath, "utf-8");
+      return this.parseGitignore(content);
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Parses .gitignore content into glob patterns.
+   * Handles comments, empty lines, and directory patterns.
+   */
+  parseGitignore(content) {
+    return content.split("\n").map((line) => line.trim()).filter((line) => line && !line.startsWith("#")).map((pattern) => {
+      if (pattern.endsWith("/")) {
+        return `**/${pattern}**`;
+      }
+      if (!pattern.includes("/")) {
+        return `**/${pattern}`;
+      }
+      return pattern;
+    });
+  }
+};
+
+// src/source_auditor/scoring_engine.ts
+var ScoringEngine = class {
+  /**
+   * Applies scoring rules to findings.
+   * Currently returns findings unchanged (future enhancement).
+   * @param findings - Findings to score
+   * @returns Scored findings (same as input for now)
+   */
+  score(findings) {
+    return findings;
+  }
+};
+
+// src/source_auditor/source_auditor.ts
+var BATCH_SIZE = 100;
+var SourceAuditorModule = class {
+  /**
+   * Creates module instance with injected dependencies.
+   * ScopeSelector and ScoringEngine are internal components.
+   */
+  constructor(deps) {
+    this.deps = deps;
+    this.scopeSelector = new ScopeSelector();
+    this.scoringEngine = new ScoringEngine();
+  }
+  scopeSelector;
+  scoringEngine;
+  /**
+   * Executes complete source code audit.
+   * Pipeline: Scope -> Detect -> Filter -> Score -> Output
+   */
+  async audit(options) {
+    const startTime = Date.now();
+    const baseDir = options.baseDir || process.cwd();
+    const files = await this.scopeSelector.selectFiles(options.scope, baseDir);
+    if (files.length === 0) {
+      return this.createEmptyResult(startTime);
+    }
+    let waivers = [];
+    try {
+      waivers = await this.deps.waiverReader.loadActiveWaivers();
+    } catch {
+    }
+    const { findings, scannedLines, detectors } = await this.runDetection(
+      files,
+      baseDir
+    );
+    const { newFindings, acknowledgedCount } = this.filterByWaivers(
+      findings,
+      waivers
+    );
+    const scoredFindings = this.scoringEngine.score(newFindings);
+    const duration = Date.now() - startTime;
+    return {
+      findings: scoredFindings,
+      summary: this.calculateSummary(scoredFindings),
+      scannedFiles: files.length,
+      scannedLines,
+      duration,
+      detectors: [...new Set(detectors)],
+      waivers: {
+        acknowledged: acknowledgedCount,
+        new: scoredFindings.length
+      }
+    };
+  }
+  /**
+   * Runs detection on all files, processing in batches for large file counts.
+   */
+  async runDetection(files, baseDir) {
+    const allFindings = [];
+    const detectors = [];
+    let scannedLines = 0;
+    const batches = this.createBatches(files, files.length > 1e3 ? BATCH_SIZE : files.length);
+    for (const batch of batches) {
+      for (const file of batch) {
+        const filePath = path6.join(baseDir, file);
+        try {
+          const content = await fs11.readFile(filePath, "utf-8");
+          scannedLines += content.split("\n").length;
+          const fileFindings = await this.deps.piiDetector.detect(content, file);
+          for (const finding of fileFindings) {
+            allFindings.push(finding);
+            if (!detectors.includes(finding.detector)) {
+              detectors.push(finding.detector);
+            }
+          }
+        } catch {
+          continue;
+        }
+      }
+    }
+    return { findings: allFindings, scannedLines, detectors };
+  }
+  /**
+   * Creates batches of files for processing.
+   */
+  createBatches(items, batchSize) {
+    const batches = [];
+    for (let i = 0; i < items.length; i += batchSize) {
+      batches.push(items.slice(i, i + batchSize));
+    }
+    return batches;
+  }
+  /**
+   * Filters findings that already have active waivers.
+   * @returns new findings and count of acknowledged
+   */
+  filterByWaivers(findings, waivers) {
+    const waiverFingerprints = new Set(waivers.map((w) => w.fingerprint));
+    const newFindings = findings.filter(
+      (f) => !waiverFingerprints.has(f.fingerprint)
+    );
+    const acknowledgedCount = findings.length - newFindings.length;
+    return { newFindings, acknowledgedCount };
+  }
+  /**
+   * Calculates summary of findings by severity, category, and detector.
+   */
+  calculateSummary(findings) {
+    const summary = {
+      total: findings.length,
+      bySeverity: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
+      byCategory: {},
+      byDetector: { regex: 0, heuristic: 0, llm: 0 }
+    };
+    for (const finding of findings) {
+      summary.bySeverity[finding.severity]++;
+      summary.byCategory[finding.category] = (summary.byCategory[finding.category] || 0) + 1;
+      summary.byDetector[finding.detector]++;
+    }
+    return summary;
+  }
+  /**
+   * Creates empty result for when no files are selected.
+   */
+  createEmptyResult(startTime) {
+    return {
+      findings: [],
+      summary: {
+        total: 0,
+        bySeverity: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
+        byCategory: {},
+        byDetector: { regex: 0, heuristic: 0, llm: 0 }
+      },
+      scannedFiles: 0,
+      scannedLines: 0,
+      duration: Date.now() - startTime,
+      detectors: [],
+      waivers: { acknowledged: 0, new: 0 }
+    };
+  }
+};
+
+// src/source_auditor/waiver_reader.ts
+var WaiverReader = class {
+  constructor(feedbackAdapter) {
+    this.feedbackAdapter = feedbackAdapter;
+  }
+  /**
+   * Loads all active waivers (non-expired).
+   * Filters by type: "approval" and metadata.fingerprint present.
+   */
+  async loadActiveWaivers() {
+    const allFeedback = await this.feedbackAdapter.getAllFeedback();
+    const now = /* @__PURE__ */ new Date();
+    const result = [];
+    for (const f of allFeedback) {
+      if (f.type !== "approval" || !f.metadata) continue;
+      const meta = f.metadata;
+      if (typeof meta.fingerprint !== "string") continue;
+      if (meta.expiresAt && new Date(meta.expiresAt) <= now) continue;
+      const waiver = {
+        fingerprint: meta.fingerprint,
+        ruleId: meta.ruleId,
+        feedback: f
+      };
+      if (meta.expiresAt) {
+        waiver.expiresAt = new Date(meta.expiresAt);
+      }
+      result.push(waiver);
+    }
+    return result;
+  }
+  /**
+   * Checks if a specific finding has an active waiver.
+   */
+  async hasActiveWaiver(fingerprint) {
+    const waivers = await this.loadActiveWaivers();
+    return waivers.some((w) => w.fingerprint === fingerprint);
+  }
+  /**
+   * Gets waivers for a specific ExecutionRecord.
+   */
+  async getWaiversForExecution(executionId) {
+    const feedback = await this.feedbackAdapter.getFeedbackByEntity(executionId);
+    const now = /* @__PURE__ */ new Date();
+    const result = [];
+    for (const f of feedback) {
+      if (f.type !== "approval" || !f.metadata) continue;
+      const meta = f.metadata;
+      if (typeof meta.fingerprint !== "string") continue;
+      if (meta.expiresAt && new Date(meta.expiresAt) <= now) continue;
+      const waiver = {
+        fingerprint: meta.fingerprint,
+        ruleId: meta.ruleId,
+        feedback: f
+      };
+      if (meta.expiresAt) {
+        waiver.expiresAt = new Date(meta.expiresAt);
+      }
+      result.push(waiver);
+    }
+    return result;
+  }
+};
+
+// src/source_auditor/waiver_writer.ts
+var WaiverWriter = class {
+  constructor(feedbackAdapter) {
+    this.feedbackAdapter = feedbackAdapter;
+  }
+  /**
+   * Creates a waiver for a specific finding.
+   * The waiver is stored as FeedbackRecord with type: "approval".
+   */
+  async createWaiver(options, actorId) {
+    const { finding, executionId, justification, expiresAt, relatedTaskId } = options;
+    const metadata = {
+      fingerprint: finding.fingerprint,
+      ruleId: finding.ruleId,
+      file: finding.file,
+      line: finding.line
+    };
+    if (expiresAt) {
+      metadata.expiresAt = expiresAt;
+    }
+    if (relatedTaskId) {
+      metadata.relatedTaskId = relatedTaskId;
+    }
+    await this.feedbackAdapter.create(
+      {
+        entityType: "execution",
+        entityId: executionId,
+        type: "approval",
+        status: "resolved",
+        content: justification,
+        metadata
+      },
+      actorId
+    );
+  }
+  /**
+   * Creates waivers in batch for multiple findings.
+   */
+  async createWaiversBatch(findings, executionId, justification, actorId) {
+    for (const finding of findings) {
+      await this.createWaiver(
+        {
+          finding,
+          executionId,
+          justification
+        },
+        actorId
+      );
+    }
+  }
+};
+
+export { adapters_exports as Adapters, backlog_adapter_exports as BacklogAdapter, changelog_adapter_exports as ChangelogAdapter, config_manager_exports as Config, crypto_exports as Crypto, diagram_generator_exports as DiagramGenerator, event_bus_exports as EventBus, execution_adapter_exports as ExecutionAdapter, factories_exports as Factories, feedback_adapter_exports as FeedbackAdapter, git_exports as Git, identity_adapter_exports as IdentityAdapter, indexer_adapter_exports as IndexerAdapter, lint_exports as Lint, logger_exports as Logger, metrics_adapter_exports as MetricsAdapter, pii_detector_exports as PiiDetector, project_adapter_exports as ProjectAdapter, types_exports as Records, schemas_exports as Schemas, source_auditor_exports as SourceAuditor, store_exports as Store, sync_exports as Sync, validation_exports as Validation, workflow_methodology_adapter_exports as WorkflowMethodologyAdapter };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map