@gobing-ai/ts-rule-engine 0.2.8 → 0.3.0

package/README.md

@@ -136,7 +136,9 @@ Load a rule file directly:
 ```ts
 import { loadRuleFile } from '@gobing-ai/ts-rule-engine';
 
-const rules = await loadRuleFile('.rules/typescript.yaml');
+// Returns { rules, extensions } — same shape as loadPreset(). A rule file may
+// declare an `extensions` block; the refs are gated by allowExtensions at load time.
+const { rules, extensions } = await loadRuleFile('.rules/typescript.yaml');
 ```
 
 ## Presets

package/dist/config/extensions.d.ts

@@ -26,12 +26,13 @@ export interface LoadExtensionsOptions {
     moduleLoader?: (absPath: string) => Promise<Record<string, unknown>>;
 }
 /**
- * Collect extension refs declared by a preset's `extensions` block.
+ * Collect extension refs declared by a preset's or rule file's `extensions` block.
  *
- * Paths are resolved relative to the preset file's directory. Use the returned
- * refs with {@link loadExtensionsIntoHost}.
+ * Paths are resolved relative to the declaring file's directory. Use the returned
+ * refs with {@link loadExtensionsIntoHost}. Rule files and presets are treated
+ * identically — both flow through the same trust gate at load time.
  */
-export declare function collectPresetExtensions(presetName: string, presetDir: string, extensions: Partial<Record<ExtensionKind, string[] | undefined>> | undefined): ExtensionRef[];
+export declare function collectExtensions(sourceName: string, sourceDir: string, extensions: Partial<Record<ExtensionKind, string[] | undefined>> | undefined): ExtensionRef[];
 /**
  * Import each extension module and register its export on the matching host
  * registry.

package/dist/config/extensions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"extensions.d.ts","sourceRoot":"","sources":["../../src/config/extensions.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE/D,2DAA2D;AAC3D,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,YAAY,GAAG,QAAQ,GAAG,YAAY,CAAC;AAEjF,yEAAyE;AACzE,MAAM,WAAW,YAAY;IACzB,qDAAqD;IACrD,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,6CAA6C;IAC7C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,yEAAyE;IACzE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC/B;AAED,oDAAoD;AACpD,MAAM,WAAW,qBAAqB;IAClC;;;;OAIG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,sEAAsE;IACtE,MAAM,CAAC,EAAE;QAAE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IAC7C,oFAAoF;IACpF,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACxE;AASD;;;;;GAKG;AACH,wBAAgB,uBAAuB,CACnC,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,GAAG,SAAS,GAC7E,YAAY,EAAE,CAShB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,sBAAsB,CACxC,IAAI,EAAE,cAAc,EACpB,IAAI,EAAE,SAAS,YAAY,EAAE,EAC7B,OAAO,GAAE,qBAA0B,GACpC,OAAO,CAAC,IAAI,CAAC,CAoCf"}
+{"version":3,"file":"extensions.d.ts","sourceRoot":"","sources":["../../src/config/extensions.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAE/D,2DAA2D;AAC3D,MAAM,MAAM,aAAa,GAAG,WAAW,GAAG,YAAY,GAAG,QAAQ,GAAG,YAAY,CAAC;AAEjF,yEAAyE;AACzE,MAAM,WAAW,YAAY;IACzB,qDAAqD;IACrD,QAAQ,CAAC,IAAI,EAAE,aAAa,CAAC;IAC7B,6CAA6C;IAC7C,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,yEAAyE;IACzE,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAC;CAC/B;AAED,oDAAoD;AACpD,MAAM,WAAW,qBAAqB;IAClC;;;;OAIG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,sEAAsE;IACtE,MAAM,CAAC,EAAE;QAAE,IAAI,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAA;KAAE,CAAC;IAC7C,oFAAoF;IACpF,YAAY,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CACxE;AASD;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAC7B,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,MAAM,EACjB,UAAU,EAAE,OAAO,CAAC,MAAM,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC,GAAG,SAAS,GAC7E,YAAY,EAAE,CAShB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,sBAAsB,CACxC,IAAI,EAAE,cAAc,EACpB,IAAI,EAAE,SAAS,YAAY,EAAE,EAC7B,OAAO,GAAE,qBAA0B,GACpC,OAAO,CAAC,IAAI,CAAC,CAoCf"}

package/dist/config/extensions.js

@@ -6,18 +6,19 @@ const HOST_REGISTRY_BY_KIND = {
     formatters: 'formatters',
 };
 /**
- * Collect extension refs declared by a preset's `extensions` block.
+ * Collect extension refs declared by a preset's or rule file's `extensions` block.
  *
- * Paths are resolved relative to the preset file's directory. Use the returned
- * refs with {@link loadExtensionsIntoHost}.
+ * Paths are resolved relative to the declaring file's directory. Use the returned
+ * refs with {@link loadExtensionsIntoHost}. Rule files and presets are treated
+ * identically — both flow through the same trust gate at load time.
  */
-export function collectPresetExtensions(presetName, presetDir, extensions) {
+export function collectExtensions(sourceName, sourceDir, extensions) {
     if (extensions === undefined)
         return [];
     const refs = [];
     for (const kind of ['resolvers', 'evaluators', 'fixers', 'formatters']) {
         for (const path of extensions[kind] ?? []) {
-            refs.push({ kind, presetName, absPath: resolve(presetDir, path) });
+            refs.push({ kind, presetName: sourceName, absPath: resolve(sourceDir, path) });
         }
     }
     return refs;

package/dist/config/loader.d.ts

@@ -37,6 +37,14 @@ export interface LoadedPreset {
  */
 export declare function loadPreset(name: string, options: RuleLoaderOptions): Promise<LoadedPreset>;
 export declare function loadPresetRules(name: string, options: RuleLoaderOptions): Promise<ConstraintRule[]>;
-/** Load a direct rule file from disk. */
-export declare function loadRuleFile(filePath: string, options?: RuleFileLoadOptions): Promise<ConstraintRule[]>;
+/**
+ * Load a direct rule file from disk.
+ *
+ * Returns the normalized rules plus any extension modules the file declares in an
+ * `extensions` block, resolved to absolute paths. Rule-file extensions are treated
+ * exactly like preset extensions — pass the refs to {@link loadExtensionsIntoHost},
+ * which enforces the same `allowExtensions` trust gate. A single-rule file (one rule
+ * object, not a `rules:` array) cannot declare extensions and yields `extensions: []`.
+ */
+export declare function loadRuleFile(filePath: string, options?: RuleFileLoadOptions): Promise<LoadedPreset>;
 //# sourceMappingURL=loader.d.ts.map

package/dist/config/loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAEA,OAAO,EACH,KAAK,cAAc,EAMtB,MAAM,UAAU,CAAC;AAClB,OAAO,EAA2B,KAAK,YAAY,EAAE,MAAM,cAAc,CAAC;AAE1E,wCAAwC;AACxC,MAAM,WAAW,iBAAiB;IAC9B;;;;;;OAMG;IACH,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,4FAA4F;IAC5F,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,oEAAoE;IACpE,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAChD;AAED,MAAM,WAAW,mBAAmB;IAChC,mEAAmE;IACnE,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,oEAAoE;IACpE,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAChD;AAED,mFAAmF;AACnF,MAAM,WAAW,YAAY;IACzB,+DAA+D;IAC/D,QAAQ,CAAC,KAAK,EAAE,cAAc,EAAE,CAAC;IACjC,kFAAkF;IAClF,QAAQ,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC;CACvC;AAUD;;;;;;GAMG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,YAAY,CAAC,CAqBhG;AAED,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAEzG;AAED,yCAAyC;AACzC,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAGjH"}
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAEA,OAAO,EACH,KAAK,cAAc,EAOtB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAqB,KAAK,YAAY,EAAE,MAAM,cAAc,CAAC;AAEpE,wCAAwC;AACxC,MAAM,WAAW,iBAAiB;IAC9B;;;;;;OAMG;IACH,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,4FAA4F;IAC5F,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,oEAAoE;IACpE,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAChD;AAED,MAAM,WAAW,mBAAmB;IAChC,mEAAmE;IACnE,cAAc,CAAC,EAAE,OAAO,CAAC;IACzB,oEAAoE;IACpE,KAAK,CAAC,EAAE,CAAC,KAAK,EAAE,MAAM,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC;CAChD;AAED,mFAAmF;AACnF,MAAM,WAAW,YAAY;IACzB,+DAA+D;IAC/D,QAAQ,CAAC,KAAK,EAAE,cAAc,EAAE,CAAC;IACjC,kFAAkF;IAClF,QAAQ,CAAC,UAAU,EAAE,YAAY,EAAE,CAAC;CACvC;AAUD;;;;;;GAMG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,YAAY,CAAC,CAahG;AAyCD,wBAAsB,eAAe,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC,CAEzG;AAED;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,GAAE,mBAAwB,GAAG,OAAO,CAAC,YAAY,CAAC,CAS7G"}

package/dist/config/loader.js

@@ -1,7 +1,7 @@
 import { basename, dirname, join, relative, resolve, sep } from 'node:path';
 import { loadStructuredConfig, NodeFileSystem } from '@gobing-ai/ts-runtime';
 import { ConstraintRuleFileSchema, ConstraintRuleSchema, PresetDefinitionSchema, } from '../types.js';
-import { collectPresetExtensions } from './extensions.js';
+import { collectExtensions } from './extensions.js';
 /**
  * Load and normalize a preset by name, resolving across one or more rule roots.
  *
@@ -16,29 +16,64 @@ export async function loadPreset(name, options) {
         return { rules: [], extensions: [] };
     const preset = PresetDefinitionSchema.parse(await readStructuredFile(presetPath, options));
     const rules = [];
-    const extensions = collectPresetExtensions(preset.name, dirname(presetPath), preset.extensions);
+    const extensions = collectExtensions(preset.name, dirname(presetPath), preset.extensions);
     for (const entry of preset.extends) {
         const loaded = await loadPresetEntry(merged, entry, new Set([name]), options);
         rules.push(...loaded.rules);
         extensions.push(...loaded.extensions);
     }
-    const disabled = new Set(preset.disable ?? []);
-    const normalized = rules.filter((rule) => !disabled.has(rule.id));
-    for (const rule of normalized) {
-        const override = preset.overrides?.[rule.id];
+    return { rules: applyPresetControls(preset.name, rules, preset.disable, preset.overrides), extensions };
+}
+/** Collapse rules sharing an id to a single entry; later definitions win (last-wins merge). */
+function dedupeById(rules) {
+    const byId = new Map();
+    for (const rule of rules)
+        byId.set(rule.id, rule);
+    return [...byId.values()];
+}
+/** Apply a preset's local disable and override controls after composing its children. */
+function applyPresetControls(presetName, rules, disabledIds, overrides) {
+    const disabled = new Set(disabledIds ?? []);
+    const controlled = dedupeById(rules).filter((rule) => !disabled.has(rule.id));
+    for (const rule of controlled) {
+        const override = overrides?.[rule.id];
         if (override?.fix !== undefined) {
+            assertFixModeNotPromoted(presetName, rule, override.fix.mode);
             rule.fix = { ...(rule.fix ?? { mode: 'none' }), ...override.fix };
         }
     }
-    return { rules: normalized, extensions };
+    return controlled;
+}
+/** Fix-mode authority ordering; an override may lower but never raise a rule's mode. */
+const FIX_MODE_AUTHORITY = { none: 0, suggest: 1, auto: 2 };
+/** Throw when a preset override would escalate a rule's fix authority above its authored level. */
+function assertFixModeNotPromoted(presetName, rule, overrideMode) {
+    const ruleMode = rule.fix?.mode ?? 'none';
+    if (FIX_MODE_AUTHORITY[overrideMode] > FIX_MODE_AUTHORITY[ruleMode]) {
+        throw new Error(`Preset "${presetName}" override for rule "${rule.id}" raises fix mode from "${ruleMode}" to "${overrideMode}"; overrides may only lower fix authority`);
+    }
 }
 export async function loadPresetRules(name, options) {
     return (await loadPreset(name, options)).rules;
 }
-/** Load a direct rule file from disk. */
+/**
+ * Load a direct rule file from disk.
+ *
+ * Returns the normalized rules plus any extension modules the file declares in an
+ * `extensions` block, resolved to absolute paths. Rule-file extensions are treated
+ * exactly like preset extensions — pass the refs to {@link loadExtensionsIntoHost},
+ * which enforces the same `allowExtensions` trust gate. A single-rule file (one rule
+ * object, not a `rules:` array) cannot declare extensions and yields `extensions: []`.
+ */
 export async function loadRuleFile(filePath, options = {}) {
     const resolved = resolve(filePath);
-    return normalizeRuleFile(await readStructuredFile(resolved, options), dirname(resolved));
+    const raw = await readStructuredFile(resolved, options);
+    const rules = normalizeRuleFile(raw, resolved);
+    const parsed = ConstraintRuleFileSchema.safeParse(raw);
+    const extensions = parsed.success
+        ? collectExtensions(basename(resolved), dirname(resolved), parsed.data.extensions)
+        : [];
+    return { rules, extensions };
 }
 async function loadPresetEntry(merged, entry, seen, options) {
     // Sub-preset reference — recurse, erroring on a genuine cycle.
@@ -51,20 +86,23 @@ async function loadPresetEntry(merged, entry, seen, options) {
         const preset = PresetDefinitionSchema.safeParse(await readStructuredFile(presetPath, options));
         if (preset.success) {
             const rules = [];
-            const extensions = collectPresetExtensions(preset.data.name, dirname(presetPath), preset.data.extensions);
+            const extensions = collectExtensions(preset.data.name, dirname(presetPath), preset.data.extensions);
             for (const child of preset.data.extends) {
                 const loaded = await loadPresetEntry(merged, child, nextSeen, options);
                 rules.push(...loaded.rules);
                 extensions.push(...loaded.extensions);
             }
-            return { rules: rules.filter((rule) => !(preset.data.disable ?? []).includes(rule.id)), extensions };
+            return {
+                rules: applyPresetControls(preset.data.name, rules, preset.data.disable, preset.data.overrides),
+                extensions,
+            };
         }
     }
     // Category folder reference — load every winning file under that prefix.
     if (merged.categories.has(entry)) {
         const rules = [];
         for (const absPath of mergedFilesInCategory(merged, entry)) {
-            rules.push(...normalizeRuleFile(await readStructuredFile(absPath, options), dirname(absPath)));
+            rules.push(...normalizeRuleFile(await readStructuredFile(absPath, options), absPath));
         }
         return { rules, extensions: [] };
     }
@@ -72,7 +110,7 @@ async function loadPresetEntry(merged, entry, seen, options) {
     const subPath = findMergedFile(merged, entry);
     if (subPath !== null)
         return {
-            rules: normalizeRuleFile(await readStructuredFile(subPath, options), dirname(subPath)),
+            rules: normalizeRuleFile(await readStructuredFile(subPath, options), subPath),
             extensions: [],
         };
     return { rules: [], extensions: [] };
@@ -175,23 +213,39 @@ async function readStructuredFile(path, options = {}) {
         fetch: options.fetch,
     });
 }
-function normalizeRuleFile(raw, sourceDir) {
+function normalizeRuleFile(raw, filePath) {
+    const sourceDir = dirname(filePath);
     const maybeFile = ConstraintRuleFileSchema.safeParse(raw);
     if (maybeFile.success)
         return normalizeFileRules(maybeFile.data, sourceDir);
     const maybeRule = ConstraintRuleSchema.safeParse(raw);
     if (maybeRule.success)
-        return [normalizeRule(maybeRule.data, {}, sourceDir)];
-    throw new Error(`Invalid rule file: ${basename(sourceDir)}`);
+        return [normalizeRule(maybeRule.data, sourceDir)];
+    // Surface the schema diagnostics that best fit the input: a `rules:` array means
+    // the author intended a rule file, so report against that schema; otherwise the
+    // single-rule schema. Include field paths so the offending key is obvious.
+    const isRuleFileShape = typeof raw === 'object' && raw !== null && 'rules' in raw;
+    const issues = (isRuleFileShape ? maybeFile.error : maybeRule.error).issues;
+    throw new Error(`Invalid rule file "${basename(filePath)}": ${formatIssues(issues)}`);
+}
+/** Render Zod issues as `path: message` fragments for actionable diagnostics. */
+function formatIssues(issues) {
+    return issues
+        .map((issue) => {
+        const path = issue.path.map(String).join('.');
+        return path.length > 0 ? `${path}: ${issue.message}` : issue.message;
+    })
+        .join('; ');
 }
 function normalizeFileRules(file, sourceDir) {
     return file.rules.map((rule) => normalizeRule({
         ...rule,
-        severity: rule.severity ?? file.severity ?? 'error',
+        // Rule-level severity wins, then the file-level default, then 'error'.
+        severity: rule.severity ?? file.severity,
         include: rule.include ?? file.include,
         // File-level excludes always apply; a rule's own excludes add to (not replace) them.
         exclude: mergeExcludes(file.exclude, rule.exclude),
-    }, {}, sourceDir));
+    }, sourceDir));
 }
 /** Union of file-level and rule-level excludes, de-duplicated. Returns undefined when both empty. */
 function mergeExcludes(fileExclude, ruleExclude) {
@@ -199,7 +253,7 @@ function mergeExcludes(fileExclude, ruleExclude) {
         return undefined;
     return [...new Set([...(fileExclude ?? []), ...(ruleExclude ?? [])])];
 }
-function normalizeRule(rule, _defaults, _sourceDir) {
+function normalizeRule(rule, _sourceDir) {
     return {
         ...rule,
         enabled: rule.enabled ?? true,

package/dist/engine.d.ts

@@ -18,7 +18,14 @@ export declare class RuleEngine {
     constructor(options?: RuleEngineOptions);
     /** Register or replace an evaluator. */
     registerEvaluator(type: string, evaluator: RuleEvaluator): void;
-    /** Evaluate all enabled rules against a working directory. */
+    /**
+     * Evaluate all enabled rules against a working directory.
+     *
+     * Thin delegate to {@link evaluateWithFixes} with `maxFixMode = 'none'`; the fix
+     * branch in that path is short-circuited by `effectiveFixMode` so callers see only
+     * findings, never auto-generated fixes. Keeps the rule loop and error-finding
+     * semantics in one place.
+     */
     evaluate(rules: ConstraintRule[], workdir: string): Promise<RuleEngineResult>;
     /**
      * Evaluate all enabled rules and collect candidate fixes.

package/dist/engine.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAKH,KAAK,oBAAoB,EAE5B,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,KAAK,EAAqB,cAAc,EAAE,GAAG,EAAE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGhH,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IAC9B,+DAA+D;IAC/D,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,mCAAmC;IACnC,IAAI,CAAC,EAAE,cAAc,CAAC;CACzB;AAED,4EAA4E;AAC5E,qBAAa,UAAU;IACnB,2CAA2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAE9B,+CAA+C;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;gBAE5C,OAAO,GAAE,iBAAsB;IAM3C,wCAAwC;IACxC,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,GAAG,IAAI;IAI/D,8DAA8D;IACxD,QAAQ,CAAC,KAAK,EAAE,cAAc,EAAE,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAqBnF;;;;;;;;;;;OAWG;IACG,iBAAiB,CACnB,KAAK,EAAE,cAAc,EAAE,EACvB,OAAO,EAAE,MAAM,EACf,UAAU,GAAE,OAAgB,GAC7B,OAAO,CAAC,gBAAgB,CAAC;IAkD5B;;;;;;;OAOG;IACG,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,GAAG,EAAE,EAAE,MAAM,UAAQ,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAG1G"}
+{"version":3,"file":"engine.d.ts","sourceRoot":"","sources":["../src/engine.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAKH,KAAK,oBAAoB,EAE5B,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAC;AACzD,OAAO,KAAK,EAAqB,cAAc,EAAE,GAAG,EAAE,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAGhH,6CAA6C;AAC7C,MAAM,WAAW,iBAAiB;IAC9B,+DAA+D;IAC/D,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,mCAAmC;IACnC,IAAI,CAAC,EAAE,cAAc,CAAC;CACzB;AAED,4EAA4E;AAC5E,qBAAa,UAAU;IACnB,2CAA2C;IAC3C,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAC;IAE9B,+CAA+C;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAiC;gBAE5C,OAAO,GAAE,iBAAsB;IAM3C,wCAAwC;IACxC,iBAAiB,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,aAAa,GAAG,IAAI;IAI/D;;;;;;;OAOG;IACG,QAAQ,CAAC,KAAK,EAAE,cAAc,EAAE,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAInF;;;;;;;;;;;OAWG;IACG,iBAAiB,CACnB,KAAK,EAAE,cAAc,EAAE,EACvB,OAAO,EAAE,MAAM,EACf,UAAU,GAAE,OAAgB,GAC7B,OAAO,CAAC,gBAAgB,CAAC;IAkD5B;;;;;;;OAOG;IACG,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,SAAS,GAAG,EAAE,EAAE,MAAM,UAAQ,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAG1G"}

package/dist/engine.js

@@ -17,26 +17,16 @@ export class RuleEngine {
     registerEvaluator(type, evaluator) {
         this.host.evaluators.register(type, evaluator, 'extension');
     }
-    /** Evaluate all enabled rules against a working directory. */
+    /**
+     * Evaluate all enabled rules against a working directory.
+     *
+     * Thin delegate to {@link evaluateWithFixes} with `maxFixMode = 'none'`; the fix
+     * branch in that path is short-circuited by `effectiveFixMode` so callers see only
+     * findings, never auto-generated fixes. Keeps the rule loop and error-finding
+     * semantics in one place.
+     */
     async evaluate(rules, workdir) {
-        const findings = [];
-        const fixes = [];
-        for (const rule of rules) {
-            if (rule.enabled === false)
-                continue;
-            try {
-                const result = await this.host.evaluators.get(rule.evaluator.type).evaluate(rule, { rule, workdir });
-                findings.push(...result.findings);
-                fixes.push(...result.fixes);
-            }
-            catch (error) {
-                findings.push(createFinding(rule, error instanceof Error ? error.message : String(error), null, {
-                    code: `evaluator:${rule.evaluator.type}`,
-                    kind: 'error',
-                }));
-            }
-        }
-        return { findings, fixes };
+        return this.evaluateWithFixes(rules, workdir, 'none');
     }
     /**
      * Evaluate all enabled rules and collect candidate fixes.

package/dist/evaluators/coverage-gate-evaluator.js

@@ -77,18 +77,27 @@ function parseLcov(raw) {
             linesHit = 0;
         }
         else if (trimmed.startsWith('LF:')) {
-            linesFound = Number(trimmed.slice(3));
+            linesFound = parseCount(trimmed.slice(3));
         }
         else if (trimmed.startsWith('LH:')) {
-            linesHit = Number(trimmed.slice(3));
+            linesHit = parseCount(trimmed.slice(3));
         }
         else if (trimmed === 'end_of_record' && file !== null) {
-            result.set(file, { linesFound, linesHit });
+            // Skip records with malformed counts: a non-numeric LF:/LH: would
+            // otherwise yield NaN coverage and a spurious below-threshold finding.
+            if (linesFound !== null && linesHit !== null) {
+                result.set(file, { linesFound, linesHit });
+            }
             file = null;
         }
     }
     return result;
 }
+/** Parse an lcov count field; return null for non-finite or negative values. */
+function parseCount(raw) {
+    const value = Number(raw);
+    return Number.isFinite(value) && value >= 0 ? value : null;
+}
 /** Standard exclusions applied regardless of config (tests, generated, deps). */
 function isAlwaysExcluded(filePath) {
     return (filePath.includes('node_modules') ||

package/dist/evaluators/file-utils.d.ts

@@ -14,6 +14,46 @@ export interface SourceDiscoveryOptions {
 export declare function discoverFiles(options: SourceDiscoveryOptions): Promise<string[]>;
 /** Read a file from a workdir-relative path. */
 export declare function readWorkdirFile(workdir: string, filePath: string, fs?: NodeFileSystem): Promise<string>;
+/** A discovered in-scope file paired with its contents. */
+export interface ScannedFile {
+    /** Workdir-relative path. */
+    readonly file: string;
+    /** Full file contents. */
+    readonly content: string;
+}
+/** How `scanFiles` matches `include` / `exclude` against discovered paths. */
+export type ScanMatchMode = 'loose' | 'glob';
+/** Options for {@link scanFiles}. */
+export interface ScanFilesOptions {
+    /** Working directory to walk. */
+    workdir: string;
+    /** Include patterns; semantics depend on `matchMode`. Undefined/empty = all files. */
+    include?: string[];
+    /** Exclude patterns; semantics depend on `matchMode`. */
+    exclude?: string[];
+    /**
+     * Scope matching policy:
+     * - `loose` — substring/suffix fragments via {@link matchesAny} (back-compat for
+     *   evaluators that historically accepted bare fragments like `.ts` or `src/`).
+     * - `glob` — anchored `**`/`*` globs via {@link matchesGlob}.
+     *
+     * The two are NOT interchangeable: a bare `src/` matches different sets under each.
+     * Each evaluator declares the mode that preserves its existing behavior.
+     */
+    matchMode: ScanMatchMode;
+    /** Filesystem adapter. */
+    fs?: FileSystem;
+}
+/**
+ * Discover in-scope files and read each once — the shared scaffolding behind the
+ * line-scanning evaluators. Owns discovery, scope filtering (per `matchMode`), and
+ * reads, so each evaluator is left with only its own matcher.
+ *
+ * Scope is a parameter, not assumed one-per-rule: callers that scan under several
+ * scopes (e.g. import boundaries) pass no `include` here and apply their own globs to
+ * the returned paths.
+ */
+export declare function scanFiles(options: ScanFilesOptions): Promise<ScannedFile[]>;
 /** Ensure a path is workdir-relative for findings. */
 export declare function relativeToWorkdir(workdir: string, path: string): string;
 /** Return parent directory for a workdir-relative path. */
@@ -28,4 +68,19 @@ export declare function matchesAny(path: string, patterns: string[] | undefined)
  * (coverage scoping, test-file location) where a loose match would change findings.
  */
 export declare function matchesGlob(path: string, pattern: string): boolean;
+/** Escape a string for safe literal use inside a `RegExp` source. */
+export declare function escapeRegExp(value: string): string;
+/** Return the value as a `string[]` when every item is a string, otherwise undefined. */
+export declare function stringArray(value: unknown): string[] | undefined;
+/**
+ * Split a leading ripgrep/PCRE-style `(?flags)` inline group off a regex source.
+ *
+ * Returns the JS-relevant flags found in the group (filtered to `imsu`) and the
+ * remaining source with the group removed. When no leading group is present, returns
+ * empty flags and the source unchanged. Shared by evaluators that accept inline flags.
+ */
+export declare function parseInlineFlags(source: string): {
+    flags: string;
+    rest: string;
+};
 //# sourceMappingURL=file-utils.d.ts.map

package/dist/evaluators/file-utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"file-utils.d.ts","sourceRoot":"","sources":["../../src/evaluators/file-utils.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,UAAU,EAAE,cAAc,EAAW,MAAM,uBAAuB,CAAC;AAEjF,yCAAyC;AACzC,MAAM,WAAW,sBAAsB;IACnC,yBAAyB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,0BAA0B;IAC1B,EAAE,CAAC,EAAE,UAAU,CAAC;CACnB;AAID,qFAAqF;AACrF,wBAAsB,aAAa,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAWtF;AAED,gDAAgD;AAChD,wBAAsB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,iBAAuB,GAAG,OAAO,CAAC,MAAM,CAAC,CAEnH;AAED,sDAAsD;AACtD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAEvE;AAED,2DAA2D;AAC3D,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED,uEAAuE;AACvE,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,SAAS,GAAG,OAAO,CAMhF;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAUlE"}
+{"version":3,"file":"file-utils.d.ts","sourceRoot":"","sources":["../../src/evaluators/file-utils.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,KAAK,UAAU,EAAE,cAAc,EAAW,MAAM,uBAAuB,CAAC;AAEjF,yCAAyC;AACzC,MAAM,WAAW,sBAAsB;IACnC,yBAAyB;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,8BAA8B;IAC9B,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,0BAA0B;IAC1B,EAAE,CAAC,EAAE,UAAU,CAAC;CACnB;AAID,qFAAqF;AACrF,wBAAsB,aAAa,CAAC,OAAO,EAAE,sBAAsB,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAWtF;AAED,gDAAgD;AAChD,wBAAsB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,iBAAuB,GAAG,OAAO,CAAC,MAAM,CAAC,CAEnH;AAED,2DAA2D;AAC3D,MAAM,WAAW,WAAW;IACxB,6BAA6B;IAC7B,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,0BAA0B;IAC1B,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC5B;AAED,8EAA8E;AAC9E,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,MAAM,CAAC;AAE7C,qCAAqC;AACrC,MAAM,WAAW,gBAAgB;IAC7B,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,sFAAsF;IACtF,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,yDAAyD;IACzD,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB;;;;;;;;OAQG;IACH,SAAS,EAAE,aAAa,CAAC;IACzB,0BAA0B;IAC1B,EAAE,CAAC,EAAE,UAAU,CAAC;CACnB;AAED;;;;;;;;GAQG;AACH,wBAAsB,SAAS,CAAC,OAAO,EAAE,gBAAgB,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CAWjF;AAeD,sDAAsD;AACtD,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAEvE;AAED,2DAA2D;AAC3D,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAGnD;AAED,uEAAuE;AACvE,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,SAAS,GAAG,OAAO,CAMhF;AAED;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAUlE;AAqBD,qEAAqE;AACrE,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAElD;AAED,yFAAyF;AACzF,wBAAgB,WAAW,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,GAAG,SAAS,CAEhE;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,CAKhF"}

package/dist/evaluators/file-utils.js

@@ -15,6 +15,33 @@ export async function discoverFiles(options) {
 export async function readWorkdirFile(workdir, filePath, fs = new NodeFileSystem()) {
     return await fs.readFile(resolve(workdir, filePath));
 }
+/**
+ * Discover in-scope files and read each once — the shared scaffolding behind the
+ * line-scanning evaluators. Owns discovery, scope filtering (per `matchMode`), and
+ * reads, so each evaluator is left with only its own matcher.
+ *
+ * Scope is a parameter, not assumed one-per-rule: callers that scan under several
+ * scopes (e.g. import boundaries) pass no `include` here and apply their own globs to
+ * the returned paths.
+ */
+export async function scanFiles(options) {
+    const fs = options.fs ?? new NodeFileSystem();
+    const files = options.matchMode === 'loose'
+        ? await discoverFiles({ workdir: options.workdir, include: options.include, exclude: options.exclude, fs })
+        : await discoverFilesByGlob(options.workdir, options.include, options.exclude, fs);
+    const scanned = [];
+    for (const file of files) {
+        scanned.push({ file, content: await readWorkdirFile(options.workdir, file, fs) });
+    }
+    return scanned;
+}
+/** Discover files then filter with anchored globs (strict mode for {@link scanFiles}). */
+async function discoverFilesByGlob(workdir, include, exclude, fs) {
+    const all = await discoverFiles({ workdir, fs });
+    return all
+        .filter((file) => include === undefined || include.length === 0 || include.some((g) => matchesGlob(file, g)))
+        .filter((file) => exclude === undefined || !exclude.some((g) => matchesGlob(file, g)));
+}
 /** Ensure a path is workdir-relative for findings. */
 export function relativeToWorkdir(workdir, path) {
     return relative(workdir, resolve(path));
@@ -73,3 +100,25 @@ function matchSegment(segment, pattern) {
     const escaped = pattern.replace(/[.+^${}()|[\]\\]/g, '\\$&').replaceAll('*', '[^/]*');
     return new RegExp(`^${escaped}$`).test(segment);
 }
+/** Escape a string for safe literal use inside a `RegExp` source. */
+export function escapeRegExp(value) {
+    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+/** Return the value as a `string[]` when every item is a string, otherwise undefined. */
+export function stringArray(value) {
+    return Array.isArray(value) && value.every((item) => typeof item === 'string') ? value : undefined;
+}
+/**
+ * Split a leading ripgrep/PCRE-style `(?flags)` inline group off a regex source.
+ *
+ * Returns the JS-relevant flags found in the group (filtered to `imsu`) and the
+ * remaining source with the group removed. When no leading group is present, returns
+ * empty flags and the source unchanged. Shared by evaluators that accept inline flags.
+ */
+export function parseInlineFlags(source) {
+    const match = /^\(\?([a-z]+)\)/.exec(source);
+    if (!match)
+        return { flags: '', rest: source };
+    const flags = [...(match[1] ?? '')].filter((flag) => 'imsu'.includes(flag)).join('');
+    return { flags, rest: source.slice(match[0].length) };
+}

package/dist/evaluators/forbidden-import-evaluator.d.ts

@@ -9,6 +9,11 @@ import { type ConstraintRule, type RuleContext, type RuleEvaluationResult, type
  *   entry is an exact `specifier` (also matching require/dynamic forms unless
  *   `includeRequire:false`) or a raw `pattern`, scoped by `scope.include` /
  *   `scope.exclude` globs.
+ *
+ * Trust assumption: rule config is trusted input. A raw `pattern` is compiled with
+ * `new RegExp` and run per line without a backtracking bound, so a
+ * catastrophic-backtracking pattern is the rule author's responsibility. Runtime
+ * ReDoS hardening is deferred (see task 0003).
  */
 export declare class ForbiddenImportEvaluator implements RuleEvaluator {
     /** Evaluate import/usage against the configured forbidden set. */

package/dist/evaluators/forbidden-import-evaluator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"forbidden-import-evaluator.d.ts","sourceRoot":"","sources":["../../src/evaluators/forbidden-import-evaluator.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,KAAK,cAAc,EAEnB,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,aAAa,EACrB,MAAM,UAAU,CAAC;AAclB;;;;;;;;;;GAUG;AACH,qBAAa,wBAAyB,YAAW,aAAa;IAC1D,kEAAkE;IAC5D,QAAQ,CAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAOzF,0FAA0F;YAC5E,cAAc;IA+B5B,4EAA4E;YAC9D,kBAAkB;CAoCnC"}
+{"version":3,"file":"forbidden-import-evaluator.d.ts","sourceRoot":"","sources":["../../src/evaluators/forbidden-import-evaluator.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,KAAK,cAAc,EAEnB,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,aAAa,EACrB,MAAM,UAAU,CAAC;AAclB;;;;;;;;;;;;;;;GAeG;AACH,qBAAa,wBAAyB,YAAW,aAAa;IAC1D,kEAAkE;IAC5D,QAAQ,CAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAOzF,0FAA0F;YAC5E,cAAc;IAgC5B,4EAA4E;YAC9D,kBAAkB;CAiCnC"}

package/dist/evaluators/forbidden-import-evaluator.js

@@ -1,5 +1,5 @@
 import { createFinding, } from '../types.js';
-import { discoverFiles, matchesGlob, readWorkdirFile } from './file-utils.js';
+import { escapeRegExp, scanFiles, stringArray } from './file-utils.js';
 /**
  * Detects forbidden imports / API usage.
  *
@@ -10,6 +10,11 @@ import { discoverFiles, matchesGlob, readWorkdirFile } from './file-utils.js';
  *   entry is an exact `specifier` (also matching require/dynamic forms unless
  *   `includeRequire:false`) or a raw `pattern`, scoped by `scope.include` /
  *   `scope.exclude` globs.
+ *
+ * Trust assumption: rule config is trusted input. A raw `pattern` is compiled with
+ * `new RegExp` and run per line without a backtracking bound, so a
+ * catastrophic-backtracking pattern is the rule author's responsibility. Runtime
+ * ReDoS hardening is deferred (see task 0003).
  */
 export class ForbiddenImportEvaluator {
     /** Evaluate import/usage against the configured forbidden set. */
@@ -22,14 +27,15 @@ export class ForbiddenImportEvaluator {
     /** Legacy path: `{ patterns: string[] }`, substring-matched against import specifiers. */
     async evaluateSimple(rule, context, config) {
         const forbidden = arrayConfig(config, 'patterns');
-        const files = await discoverFiles({
+        const files = await scanFiles({
             workdir: context.workdir,
             include: rule.include ?? ['.ts', '.tsx', '.js', '.jsx'],
             exclude: rule.exclude,
+            matchMode: 'loose',
         });
         const findings = [];
-        for (const file of files) {
-            const lines = (await readWorkdirFile(context.workdir, file)).split('\n');
+        for (const { file, content } of files) {
+            const lines = content.split('\n');
             for (const [index, line] of lines.entries()) {
                 const imported = importSpecifier(line);
                 if (imported === undefined)
@@ -54,14 +60,11 @@ export class ForbiddenImportEvaluator {
         }
         const exclude = stringArray(scope?.exclude) ?? [];
         const entries = config.forbidden.map(compileEntry);
-        // Discover all source files, then apply scope globs precisely (discoverFiles'
-        // include matching is intentionally loose, so it cannot do `**`-anchored scoping).
-        const files = (await discoverFiles({ workdir: context.workdir }))
-            .filter((file) => include.some((glob) => matchesGlob(file, glob)))
-            .filter((file) => !exclude.some((glob) => matchesGlob(file, glob)));
+        // Anchored `**`-glob scoping: scanFiles' 'glob' mode applies matchesGlob precisely.
+        const files = await scanFiles({ workdir: context.workdir, include, exclude, matchMode: 'glob' });
         const findings = [];
-        for (const file of files) {
-            const lines = (await readWorkdirFile(context.workdir, file)).split('\n');
+        for (const { file, content } of files) {
+            const lines = content.split('\n');
             for (const [index, line] of lines.entries()) {
                 const hit = entries.find((entry) => entry.regex.test(line));
                 if (hit !== undefined) {
@@ -91,9 +94,6 @@ function compileEntry(entry) {
     }
     return { regex: new RegExp(entry.pattern), label: entry.pattern };
 }
-function escapeRegExp(value) {
-    return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
 function arrayConfig(config, key) {
     const value = config[key];
     if (Array.isArray(value) && value.every((item) => typeof item === 'string'))
@@ -102,6 +102,3 @@ function arrayConfig(config, key) {
         return [value];
     throw new Error(`forbidden-import evaluator requires string[] config "${key}"`);
 }
-function stringArray(value) {
-    return Array.isArray(value) && value.every((item) => typeof item === 'string') ? value : undefined;
-}

package/dist/evaluators/import-boundary-evaluator.d.ts

@@ -11,6 +11,11 @@ import { type ConstraintRule, type RuleContext, type RuleEvaluationResult, type
  *   - `scope` — glob pattern selecting files this boundary applies to.
  *   - `forbidden` — array of strings or `{ pattern, mode?, syntax? }` objects.
  *   - `exclude` — optional globs within the scope to ignore.
+ *
+ * Trust assumption: rule config is trusted input. A `pattern` is compiled with
+ * `new RegExp` and run per line without a backtracking bound, so a
+ * catastrophic-backtracking pattern is the rule author's responsibility. Runtime
+ * ReDoS hardening is deferred (see task 0003).
  */
 export declare class ImportBoundaryEvaluator implements RuleEvaluator {
     /** Evaluate import boundaries across all in-scope files. */

package/dist/evaluators/import-boundary-evaluator.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"import-boundary-evaluator.d.ts","sourceRoot":"","sources":["../../src/evaluators/import-boundary-evaluator.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,KAAK,cAAc,EAEnB,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,aAAa,EACrB,MAAM,UAAU,CAAC;AA4BlB;;;;;;;;;;;;GAYG;AACH,qBAAa,uBAAwB,YAAW,aAAa;IACzD,4DAA4D;IACtD,QAAQ,CAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAuC5F"}
+{"version":3,"file":"import-boundary-evaluator.d.ts","sourceRoot":"","sources":["../../src/evaluators/import-boundary-evaluator.ts"],"names":[],"mappings":"AAAA,OAAO,EACH,KAAK,cAAc,EAEnB,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,KAAK,aAAa,EACrB,MAAM,UAAU,CAAC;AAUlB;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,uBAAwB,YAAW,aAAa;IACzD,4DAA4D;IACtD,QAAQ,CAAC,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,WAAW,GAAG,OAAO,CAAC,oBAAoB,CAAC;CAsC5F"}