@gulu9527/code-trust 0.2.0 → 0.3.0

package/dist/cli/index.js

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/cli/index.ts
-import { Command as Command6 } from "commander";
+import { Command as Command7 } from "commander";
 
 // src/cli/commands/scan.ts
 import { Command } from "commander";
@@ -120,9 +120,10 @@ detection:
 }
 
 // src/core/engine.ts
+import { createHash } from "crypto";
 import { readFile } from "fs/promises";
-import { readFileSync, existsSync as existsSync3 } from "fs";
-import { resolve as resolve2, dirname as dirname3 } from "path";
+import { readFileSync } from "fs";
+import { resolve as resolve2, dirname as dirname3, relative, sep } from "path";
 import { fileURLToPath } from "url";
 
 // src/parsers/diff.ts
@@ -589,7 +590,7 @@ function detectCodeAfterReturn(context, lines, issues) {
       }
     }
     if (/^(return|throw)\b/.test(trimmed) && !trimmed.includes("=>")) {
-      const endsOpen = /[{(\[,]$/.test(trimmed) || /^(return|throw)\s*$/.test(trimmed);
+      const endsOpen = /[[{(,]$/.test(trimmed) || /^(return|throw)\s*$/.test(trimmed);
       if (endsOpen) continue;
       lastReturnDepth = braceDepth;
       lastReturnLine = i;
@@ -645,6 +646,24 @@ function detectImmediateReassign(context, lines, issues) {
   }
 }
 
+// src/rules/fix-utils.ts
+function lineStartOffset(content, lineNumber) {
+  let offset = 0;
+  const lines = content.split("\n");
+  for (let i = 0; i < lineNumber - 1 && i < lines.length; i++) {
+    offset += lines[i].length + 1;
+  }
+  return offset;
+}
+function lineRange(content, lineNumber) {
+  const lines = content.split("\n");
+  const lineIndex = lineNumber - 1;
+  if (lineIndex < 0 || lineIndex >= lines.length) return [0, 0];
+  const start = lineStartOffset(content, lineNumber);
+  const end = start + lines[lineIndex].length + (lineIndex < lines.length - 1 ? 1 : 0);
+  return [start, end];
+}
+
 // src/parsers/ast.ts
 import { parse, AST_NODE_TYPES } from "@typescript-eslint/typescript-estree";
 
@@ -827,6 +846,19 @@ var unusedVariablesRule = {
   severity: "low",
   title: "Unused variable detected",
   description: "AI-generated code sometimes declares variables that are never used, indicating incomplete or hallucinated logic.",
+  fixable: true,
+  fix(context, issue) {
+    const lines = context.fileContent.split("\n");
+    const lineIndex = issue.startLine - 1;
+    if (lineIndex < 0 || lineIndex >= lines.length) return null;
+    const line = lines[lineIndex].trim();
+    if (/^(const|let|var)\s+\w+\s*[=:;]/.test(line) && !line.includes(",")) {
+      const [start, end] = lineRange(context.fileContent, issue.startLine);
+      if (start === end) return null;
+      return { range: [start, end], text: "" };
+    }
+    return null;
+  },
   check(context) {
     const issues = [];
     let ast;
@@ -993,6 +1025,10 @@ function truncate(s, maxLen) {
 }
 
 // src/rules/builtin/security.ts
+var isCommentLine = (trimmed) => trimmed.startsWith("//") || trimmed.startsWith("*");
+var stripQuotedStrings = (line) => line.replace(/'[^'\\]*(?:\\.[^'\\]*)*'/g, "''").replace(/"[^"\\]*(?:\\.[^"\\]*)*"/g, '""').replace(/`[^`\\]*(?:\\.[^`\\]*)*`/g, "``");
+var isPatternDefinitionLine = (line) => /\bpattern\s*:\s*\/.*\/[dgimsuvy]*/.test(line);
+var hasQueryContext = (line) => /\b(query|sql|statement|stmt)\b/i.test(line) || /\.(query|execute|run|prepare)\s*\(/i.test(line);
 var securityRules = [
   {
     id: "security/hardcoded-secret",
@@ -1005,7 +1041,7 @@ var securityRules = [
       const lines = context.fileContent.split("\n");
       const secretPatterns = [
         // API keys / tokens
-        { pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"`][A-Za-z0-9_\-]{16,}['"`]/i, label: "API key" },
+        { pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"`][A-Za-z0-9_-]{16,}['"`]/i, label: "API key" },
         { pattern: /(?:secret|token|password|passwd|pwd)\s*[:=]\s*['"`][^'"`]{8,}['"`]/i, label: "secret/password" },
         // AWS
         { pattern: /AKIA[0-9A-Z]{16}/, label: "AWS Access Key" },
@@ -1058,15 +1094,17 @@ var securityRules = [
       const issues = [];
       const lines = context.fileContent.split("\n");
       for (let i = 0; i < lines.length; i++) {
-        const trimmed = lines[i].trim();
-        if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
+        const line = lines[i];
+        const trimmed = line.trim();
+        if (isCommentLine(trimmed) || isPatternDefinitionLine(line)) continue;
+        const sanitizedLine = stripQuotedStrings(line);
         const evalPatterns = [
-          { pattern: /\beval\s*\(/, label: "eval()" },
-          { pattern: /new\s+Function\s*\(/, label: "new Function()" },
-          { pattern: /\b(setTimeout|setInterval)\s*\(\s*['"`]/, label: "setTimeout/setInterval with string" }
+          { pattern: /\beval\s*\(/, label: "eval()", source: sanitizedLine },
+          { pattern: /new\s+Function\s*\(/, label: "new Function()", source: sanitizedLine },
+          { pattern: /\b(setTimeout|setInterval)\s*\(\s*['"`]/, label: "setTimeout/setInterval with string", source: line }
         ];
-        for (const { pattern, label } of evalPatterns) {
-          if (pattern.test(lines[i])) {
+        for (const { pattern, label, source } of evalPatterns) {
+          if (pattern.test(source)) {
             issues.push({
               ruleId: "security/eval-usage",
               severity: "high",
@@ -1099,29 +1137,30 @@ var securityRules = [
     check(context) {
       const issues = [];
       const lines = context.fileContent.split("\n");
+      const sqlKeywords = /\b(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)\b/i;
       for (let i = 0; i < lines.length; i++) {
-        const trimmed = lines[i].trim();
-        if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
-        const sqlKeywords = /\b(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)\b/i;
-        if (sqlKeywords.test(lines[i])) {
-          if (/\$\{[^}]+\}/.test(lines[i]) || /['"]\s*\+\s*\w+/.test(lines[i])) {
-            issues.push({
-              ruleId: "security/sql-injection",
-              severity: "high",
-              category: "security",
-              file: context.filePath,
-              startLine: i + 1,
-              endLine: i + 1,
-              message: t(
-                "Potential SQL injection \u2014 string interpolation in SQL query.",
-                "\u6F5C\u5728\u7684 SQL \u6CE8\u5165 \u2014 SQL \u67E5\u8BE2\u4E2D\u4F7F\u7528\u4E86\u5B57\u7B26\u4E32\u63D2\u503C\u3002"
-              ),
-              suggestion: t(
-                "Use parameterized queries or prepared statements instead.",
-                "\u8BF7\u6539\u7528\u53C2\u6570\u5316\u67E5\u8BE2\u6216\u9884\u7F16\u8BD1\u8BED\u53E5\u3002"
-              )
-            });
-          }
+        const line = lines[i];
+        const trimmed = line.trim();
+        if (isCommentLine(trimmed)) continue;
+        const hasSqlKeyword = sqlKeywords.test(line);
+        const hasInterpolation = /\$\{[^}]+\}/.test(line) || /['"]\s*\+\s*\w+/.test(line);
+        if (hasSqlKeyword && hasInterpolation && hasQueryContext(line)) {
+          issues.push({
+            ruleId: "security/sql-injection",
+            severity: "high",
+            category: "security",
+            file: context.filePath,
+            startLine: i + 1,
+            endLine: i + 1,
+            message: t(
+              "Potential SQL injection \u2014 string interpolation in SQL query.",
+              "\u6F5C\u5728\u7684 SQL \u6CE8\u5165 \u2014 SQL \u67E5\u8BE2\u4E2D\u4F7F\u7528\u4E86\u5B57\u7B26\u4E32\u63D2\u503C\u3002"
+            ),
+            suggestion: t(
+              "Use parameterized queries or prepared statements instead.",
+              "\u8BF7\u6539\u7528\u53C2\u6570\u5316\u67E5\u8BE2\u6216\u9884\u7F16\u8BD1\u8BED\u53E5\u3002"
+            )
+          });
         }
       }
       return issues;
@@ -1550,6 +1589,23 @@ var unusedImportRule = {
   severity: "low",
   title: "Unused import",
   description: "AI-generated code often imports modules or identifiers that are never used in the file.",
+  fixable: true,
+  fix(context, issue) {
+    const lines = context.fileContent.split("\n");
+    const lineIndex = issue.startLine - 1;
+    if (lineIndex < 0 || lineIndex >= lines.length) return null;
+    const line = lines[lineIndex].trim();
+    const isSingleDefault = /^import\s+\w+\s+from\s+/.test(line);
+    const isSingleNamed = /^import\s*\{\s*\w+\s*\}\s*from\s+/.test(line);
+    const isSingleTypeNamed = /^import\s+type\s*\{\s*\w+\s*\}\s*from\s+/.test(line);
+    const isSingleTypeDefault = /^import\s+type\s+\w+\s+from\s+/.test(line);
+    if (!isSingleDefault && !isSingleNamed && !isSingleTypeNamed && !isSingleTypeDefault) {
+      return null;
+    }
+    const [start, end] = lineRange(context.fileContent, issue.startLine);
+    if (start === end) return null;
+    return { range: [start, end], text: "" };
+  },
   check(context) {
     const issues = [];
     let ast;
@@ -1787,6 +1843,33 @@ var typeCoercionRule = {
   severity: "medium",
   title: "Loose equality with type coercion",
   description: "AI-generated code often uses == instead of ===, leading to implicit type coercion bugs.",
+  fixable: true,
+  fix(context, issue) {
+    const lines = context.fileContent.split("\n");
+    const lineIndex = issue.startLine - 1;
+    if (lineIndex < 0 || lineIndex >= lines.length) return null;
+    const line = lines[lineIndex];
+    const base = lineStartOffset(context.fileContent, issue.startLine);
+    const isNotEqual = issue.message.includes("!=");
+    const searchOp = isNotEqual ? "!=" : "==";
+    const replaceOp = isNotEqual ? "!==" : "===";
+    let pos = -1;
+    for (let j = 0; j < line.length - 1; j++) {
+      if (line[j] === searchOp[0] && line[j + 1] === "=") {
+        if (line[j + 2] === "=") {
+          j += 2;
+          continue;
+        }
+        if (!isNotEqual && j > 0 && (line[j - 1] === "!" || line[j - 1] === "<" || line[j - 1] === ">")) {
+          continue;
+        }
+        pos = j;
+        break;
+      }
+    }
+    if (pos === -1) return null;
+    return { range: [base + pos, base + pos + searchOp.length], text: replaceOp };
+  },
   check(context) {
     const issues = [];
     const lines = context.fileContent.split("\n");
@@ -2041,6 +2124,12 @@ var noDebuggerRule = {
   severity: "high",
   title: "Debugger statement",
   description: "Debugger statements should never be committed to production code.",
+  fixable: true,
+  fix(context, issue) {
+    const [start, end] = lineRange(context.fileContent, issue.startLine);
+    if (start === end) return null;
+    return { range: [start, end], text: "" };
+  },
   check(context) {
     const issues = [];
     const lines = context.fileContent.split("\n");
@@ -2355,12 +2444,7 @@ var noReassignParamRule = {
         }
       }
       if (paramNames.size === 0) return;
-      let body = null;
-      if (node.type === AST_NODE_TYPES.MethodDefinition) {
-        body = node.value;
-      } else {
-        body = node;
-      }
+      const body = node.type === AST_NODE_TYPES.MethodDefinition ? node.value : node;
       if (!body || !("body" in body)) return;
       const fnBody = body.body;
       if (!fnBody) return;
@@ -2597,15 +2681,33 @@ var RuleEngine = class {
     );
   }
   run(context) {
+    return this.runWithDiagnostics(context).issues;
+  }
+  runWithDiagnostics(context) {
     const allIssues = [];
+    const ruleFailures = [];
+    let rulesExecuted = 0;
+    let rulesFailed = 0;
     for (const rule of this.rules) {
+      rulesExecuted++;
       try {
         const issues = rule.check(context);
         allIssues.push(...issues);
-      } catch (_err) {
+      } catch (err) {
+        rulesFailed++;
+        ruleFailures.push({
+          ruleId: rule.id,
+          file: context.filePath,
+          message: err instanceof Error ? err.message : "Unknown rule execution failure"
+        });
       }
     }
-    return allIssues;
+    return {
+      issues: allIssues,
+      rulesExecuted,
+      rulesFailed,
+      ruleFailures
+    };
   }
   getRules() {
     return [...this.rules];
@@ -2985,6 +3087,8 @@ var PKG_VERSION = (() => {
     return "0.1.0";
   }
 })();
+var REPORT_SCHEMA_VERSION = "1.0.0";
+var FINGERPRINT_VERSION = "1";
 var ScanEngine = class {
   config;
   diffParser;
@@ -2995,80 +3099,198 @@ var ScanEngine = class {
     this.ruleEngine = new RuleEngine(config);
   }
   async scan(options) {
-    const diffFiles = await this.getDiffFiles(options);
+    const selection = await this.getScanCandidates(options);
     const allIssues = [];
-    for (const diffFile of diffFiles) {
-      if (diffFile.status === "deleted") continue;
-      const filePath = resolve2(diffFile.filePath);
-      let fileContent;
-      try {
-        if (existsSync3(filePath)) {
-          fileContent = await readFile(filePath, "utf-8");
-        } else {
-          const content = await this.diffParser.getFileContent(diffFile.filePath);
-          if (!content) continue;
-          fileContent = content;
-        }
-      } catch {
-        continue;
-      }
-      const addedLines = diffFile.hunks.flatMap((hunk) => {
-        const lines = hunk.content.split("\n");
-        const result = [];
-        let currentLine = hunk.newStart;
-        for (const line of lines) {
-          if (line.startsWith("+")) {
-            result.push({ lineNumber: currentLine, content: line.slice(1) });
-            currentLine++;
-          } else if (line.startsWith("-")) {
-          } else {
-            currentLine++;
-          }
-        }
-        return result;
-      });
-      const issues = this.ruleEngine.run({
-        filePath: diffFile.filePath,
-        fileContent,
-        addedLines
-      });
-      allIssues.push(...issues);
-      if (this.isTsJsFile(diffFile.filePath)) {
-        const structureResult = analyzeStructure(fileContent, diffFile.filePath, {
-          maxCyclomaticComplexity: this.config.thresholds["max-cyclomatic-complexity"],
-          maxCognitiveComplexity: this.config.thresholds["max-cognitive-complexity"],
-          maxFunctionLength: this.config.thresholds["max-function-length"],
-          maxNestingDepth: this.config.thresholds["max-nesting-depth"],
-          maxParamCount: this.config.thresholds["max-params"]
-        });
-        allIssues.push(...structureResult.issues);
-        const styleResult = analyzeStyle(fileContent, diffFile.filePath);
-        allIssues.push(...styleResult.issues);
-        const coverageResult = analyzeCoverage(fileContent, diffFile.filePath);
-        allIssues.push(...coverageResult.issues);
-      }
-    }
-    const dimensions = this.groupByDimension(allIssues);
+    const scanErrors = [];
+    const ruleFailures = [];
+    let rulesExecuted = 0;
+    let rulesFailed = 0;
+    let filesScanned = 0;
+    const results = await Promise.all(
+      selection.candidates.map((diffFile) => this.scanFile(diffFile))
+    );
+    for (const result of results) {
+      allIssues.push(...result.issues);
+      ruleFailures.push(...result.ruleFailures);
+      scanErrors.push(...result.scanErrors);
+      rulesExecuted += result.rulesExecuted;
+      rulesFailed += result.rulesFailed;
+      if (result.scanned) {
+        filesScanned++;
+      }
+    }
+    const issuesWithFingerprints = this.attachFingerprints(allIssues);
+    const dimensions = this.groupByDimension(issuesWithFingerprints);
     const overallScore = calculateOverallScore(dimensions, this.config.weights);
     const grade = getGrade(overallScore);
     const commitHash = await this.diffParser.getCurrentCommitHash();
     return {
+      schemaVersion: REPORT_SCHEMA_VERSION,
       version: PKG_VERSION,
       timestamp: (/* @__PURE__ */ new Date()).toISOString(),
       commit: commitHash,
+      scanMode: selection.scanMode,
       overall: {
         score: overallScore,
         grade,
-        filesScanned: diffFiles.filter((f) => f.status !== "deleted").length,
-        issuesFound: allIssues.length
+        filesScanned,
+        issuesFound: issuesWithFingerprints.length
+      },
+      toolHealth: {
+        rulesExecuted,
+        rulesFailed,
+        filesConsidered: selection.filesConsidered,
+        filesScanned,
+        filesExcluded: selection.filesExcluded,
+        filesSkipped: scanErrors.length,
+        scanErrors,
+        ruleFailures
       },
       dimensions,
-      issues: allIssues.sort((a, b) => {
+      issues: issuesWithFingerprints.sort((a, b) => {
         const severityOrder = { high: 0, medium: 1, low: 2, info: 3 };
         return severityOrder[a.severity] - severityOrder[b.severity];
       })
     };
   }
+  async scanFile(diffFile) {
+    if (diffFile.status === "deleted") {
+      return {
+        issues: [],
+        ruleFailures: [],
+        rulesExecuted: 0,
+        rulesFailed: 0,
+        scanErrors: [
+          {
+            type: "deleted-file",
+            file: diffFile.filePath,
+            message: `Skipped deleted file: ${diffFile.filePath}`
+          }
+        ],
+        scanned: false
+      };
+    }
+    if (!this.isTsJsFile(diffFile.filePath)) {
+      return {
+        issues: [],
+        ruleFailures: [],
+        rulesExecuted: 0,
+        rulesFailed: 0,
+        scanErrors: [
+          {
+            type: "unsupported-file-type",
+            file: diffFile.filePath,
+            message: `Skipped unsupported file type: ${diffFile.filePath}`
+          }
+        ],
+        scanned: false
+      };
+    }
+    const filePath = resolve2(diffFile.filePath);
+    let fileContent;
+    try {
+      fileContent = await readFile(filePath, "utf-8");
+    } catch {
+      const content = await this.diffParser.getFileContent(diffFile.filePath);
+      if (!content) {
+        return {
+          issues: [],
+          ruleFailures: [],
+          rulesExecuted: 0,
+          rulesFailed: 0,
+          scanErrors: [
+            {
+              type: "missing-file-content",
+              file: diffFile.filePath,
+              message: `Unable to read file content for ${diffFile.filePath}`
+            }
+          ],
+          scanned: false
+        };
+      }
+      fileContent = content;
+    }
+    const addedLines = diffFile.hunks.flatMap((hunk) => {
+      const lines = hunk.content.split("\n");
+      const result = [];
+      let currentLine = hunk.newStart;
+      for (const line of lines) {
+        if (line.startsWith("+")) {
+          result.push({ lineNumber: currentLine, content: line.slice(1) });
+          currentLine++;
+        } else if (line.startsWith("-")) {
+        } else {
+          currentLine++;
+        }
+      }
+      return result;
+    });
+    const ruleResult = this.ruleEngine.runWithDiagnostics({
+      filePath: diffFile.filePath,
+      fileContent,
+      addedLines
+    });
+    const issues = [...ruleResult.issues];
+    const structureResult = analyzeStructure(fileContent, diffFile.filePath, {
+      maxCyclomaticComplexity: this.config.thresholds["max-cyclomatic-complexity"],
+      maxCognitiveComplexity: this.config.thresholds["max-cognitive-complexity"],
+      maxFunctionLength: this.config.thresholds["max-function-length"],
+      maxNestingDepth: this.config.thresholds["max-nesting-depth"],
+      maxParamCount: this.config.thresholds["max-params"]
+    });
+    issues.push(...structureResult.issues);
+    const styleResult = analyzeStyle(fileContent, diffFile.filePath);
+    issues.push(...styleResult.issues);
+    const coverageResult = analyzeCoverage(fileContent, diffFile.filePath);
+    issues.push(...coverageResult.issues);
+    return {
+      issues,
+      ruleFailures: ruleResult.ruleFailures,
+      rulesExecuted: ruleResult.rulesExecuted,
+      rulesFailed: ruleResult.rulesFailed,
+      scanErrors: [],
+      scanned: true
+    };
+  }
+  async getScanCandidates(options) {
+    const scanMode = this.getScanMode(options);
+    const candidates = await this.getDiffFiles(options);
+    if (scanMode === "files") {
+      return {
+        scanMode,
+        candidates,
+        filesConsidered: options.files?.length ?? candidates.length,
+        filesExcluded: (options.files?.length ?? candidates.length) - candidates.length
+      };
+    }
+    const filteredCandidates = [];
+    let filesExcluded = 0;
+    for (const candidate of candidates) {
+      if (this.shouldIncludeFile(candidate.filePath)) {
+        filteredCandidates.push(candidate);
+      } else {
+        filesExcluded++;
+      }
+    }
+    return {
+      scanMode,
+      candidates: filteredCandidates,
+      filesConsidered: candidates.length,
+      filesExcluded
+    };
+  }
+  getScanMode(options) {
+    if (options.staged) {
+      return "staged";
+    }
+    if (options.diff) {
+      return "diff";
+    }
+    if (options.files && options.files.length > 0) {
+      return "files";
+    }
+    return "changed";
+  }
   async getDiffFiles(options) {
     if (options.staged) {
       return this.diffParser.getStagedFiles();
@@ -3077,14 +3299,10 @@ var ScanEngine = class {
       return this.diffParser.getDiffFromRef(options.diff);
     }
     if (options.files && options.files.length > 0) {
+      const includedFiles = options.files.filter((filePath) => this.shouldIncludeFile(filePath));
       return Promise.all(
-        options.files.map(async (filePath) => {
-          let content = "";
-          try {
-            content = await readFile(resolve2(filePath), "utf-8");
-          } catch {
-          }
-          return {
+        includedFiles.map(
+          (filePath) => readFile(resolve2(filePath), "utf-8").catch(() => "").then((content) => ({
             filePath,
             status: "modified",
             additions: content.split("\n").length,
@@ -3096,18 +3314,64 @@ var ScanEngine = class {
                 oldLines: 0,
                 newStart: 1,
                 newLines: content.split("\n").length,
-                content: content.split("\n").map((l) => "+" + l).join("\n")
+                content: content.split("\n").map((line) => "+" + line).join("\n")
               }
             ]
-          };
-        })
+          }))
+        )
       );
     }
     return this.diffParser.getChangedFiles();
   }
+  shouldIncludeFile(filePath) {
+    const normalizedPath = filePath.split(sep).join("/");
+    const includePatterns = this.config.include.length > 0 ? this.config.include : ["**/*"];
+    const included = includePatterns.some((pattern) => this.matchesPattern(normalizedPath, pattern));
+    if (!included) {
+      return false;
+    }
+    return !this.config.exclude.some((pattern) => this.matchesPattern(normalizedPath, pattern));
+  }
+  matchesPattern(filePath, pattern) {
+    let regexPattern = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&");
+    regexPattern = regexPattern.replace(/\*\*\//g, "::DOUBLE_DIR::");
+    regexPattern = regexPattern.replace(/\*\*/g, "::DOUBLE_STAR::");
+    regexPattern = regexPattern.replace(/\*/g, "[^/]*");
+    regexPattern = regexPattern.replace(/::DOUBLE_DIR::/g, "(?:.*/)?");
+    regexPattern = regexPattern.replace(/::DOUBLE_STAR::/g, ".*");
+    return new RegExp(`^${regexPattern}$`).test(filePath);
+  }
   isTsJsFile(filePath) {
     return /\.(ts|tsx|js|jsx|mts|mjs|cts|cjs)$/.test(filePath);
   }
+  attachFingerprints(issues) {
+    const occurrenceCounts = /* @__PURE__ */ new Map();
+    return issues.map((issue) => {
+      const normalizedFile = this.normalizeRelativePath(issue.file);
+      const locationComponent = `${issue.startLine}:${issue.endLine}`;
+      const baseKey = [
+        issue.ruleId,
+        normalizedFile,
+        issue.category,
+        issue.severity,
+        locationComponent
+      ].join("|");
+      const occurrenceIndex = occurrenceCounts.get(baseKey) ?? 0;
+      occurrenceCounts.set(baseKey, occurrenceIndex + 1);
+      const fingerprint = createHash("sha256").update(`${FINGERPRINT_VERSION}|${baseKey}|${occurrenceIndex}`).digest("hex");
+      return {
+        ...issue,
+        file: normalizedFile,
+        fingerprint,
+        fingerprintVersion: FINGERPRINT_VERSION
+      };
+    });
+  }
+  normalizeRelativePath(filePath) {
+    const absolutePath = resolve2(filePath);
+    const relativePath = relative(process.cwd(), absolutePath) || filePath;
+    return relativePath.split(sep).join("/");
+  }
   groupByDimension(issues) {
     const categories = [
       "security",
@@ -3118,7 +3382,7 @@ var ScanEngine = class {
     ];
     const grouped = {};
     for (const cat of categories) {
-      const catIssues = issues.filter((i) => i.category === cat);
+      const catIssues = issues.filter((issue) => issue.category === cat);
       grouped[cat] = calculateDimensionScore(catIssues);
     }
     return grouped;
@@ -3138,7 +3402,11 @@ var en = {
   issuesFound: "{{count}} issue(s) found",
   issuesHeader: "Issues ({{count}}):",
   noIssuesFound: "No issues found! \u{1F389}",
-  scanned: "Scanned {{count}} file(s)"
+  scanned: "Scanned {{count}} file(s)",
+  healthHeader: "Tool Health",
+  rulesFailed: "Failed rules: {{count}}",
+  filesSkipped: "Skipped files: {{count}}",
+  filesExcluded: "Excluded files: {{count}}"
 };
 var zh = {
   reportTitle: "\u{1F4CA} CodeTrust \u62A5\u544A",
@@ -3150,7 +3418,11 @@ var zh = {
   issuesFound: "\u53D1\u73B0 {{count}} \u4E2A\u95EE\u9898",
   issuesHeader: "\u95EE\u9898\u5217\u8868 ({{count}}):",
   noIssuesFound: "\u672A\u53D1\u73B0\u95EE\u9898! \u{1F389}",
-  scanned: "\u626B\u63CF\u4E86 {{count}} \u4E2A\u6587\u4EF6"
+  scanned: "\u626B\u63CF\u4E86 {{count}} \u4E2A\u6587\u4EF6",
+  healthHeader: "\u5DE5\u5177\u5065\u5EB7\u5EA6",
+  rulesFailed: "\u5931\u8D25\u89C4\u5219\u6570\uFF1A{{count}}",
+  filesSkipped: "\u8DF3\u8FC7\u6587\u4EF6\u6570\uFF1A{{count}}",
+  filesExcluded: "\u6392\u9664\u6587\u4EF6\u6570\uFF1A{{count}}"
 };
 function renderTerminalReport(report) {
   const isZh = isZhLocale();
@@ -3192,19 +3464,32 @@ function renderTerminalReport(report) {
   };
   const dims = ["security", "logic", "structure", "style", "coverage"];
   for (const dim of dims) {
-    const d = report.dimensions[dim];
-    const dimEmoji = d.score >= 80 ? "\u2705" : d.score >= 60 ? "\u26A0\uFE0F" : "\u274C";
-    const color = getScoreColor(d.score);
-    const issueCount = d.issues.length;
+    const dimension = report.dimensions[dim];
+    const dimEmoji = dimension.score >= 80 ? "\u2705" : dimension.score >= 60 ? "\u26A0\uFE0F" : "\u274C";
+    const color = getScoreColor(dimension.score);
+    const issueCount = dimension.issues.length;
     const detail = issueCount === 0 ? pc.green(t2.noIssues) : t2.issuesFound.replace("{{count}}", String(issueCount));
     table.push([
       `${dimEmoji} ${dimLabels[dim]}`,
-      color(String(d.score)),
+      color(String(dimension.score)),
       detail
     ]);
   }
   lines.push(table.toString());
   lines.push("");
+  if (report.toolHealth.rulesFailed > 0 || report.toolHealth.filesSkipped > 0 || report.toolHealth.filesExcluded > 0) {
+    lines.push(pc.bold(t2.healthHeader));
+    if (report.toolHealth.rulesFailed > 0) {
+      lines.push(pc.yellow(`  ${t2.rulesFailed.replace("{{count}}", String(report.toolHealth.rulesFailed))}`));
+    }
+    if (report.toolHealth.filesSkipped > 0) {
+      lines.push(pc.yellow(`  ${t2.filesSkipped.replace("{{count}}", String(report.toolHealth.filesSkipped))}`));
+    }
+    if (report.toolHealth.filesExcluded > 0) {
+      lines.push(pc.dim(`  ${t2.filesExcluded.replace("{{count}}", String(report.toolHealth.filesExcluded))}`));
+    }
+    lines.push("");
+  }
   if (report.issues.length > 0) {
     lines.push(pc.bold(t2.issuesHeader.replace("{{count}}", String(report.issues.length))));
     lines.push("");
@@ -3268,12 +3553,23 @@ function getScoreColor(score) {
 
 // src/cli/output/json.ts
 function renderJsonReport(report) {
-  return JSON.stringify(report, null, 2);
+  const payload = {
+    schemaVersion: report.schemaVersion,
+    version: report.version,
+    timestamp: report.timestamp,
+    commit: report.commit,
+    scanMode: report.scanMode,
+    overall: report.overall,
+    toolHealth: report.toolHealth,
+    dimensions: report.dimensions,
+    issues: report.issues
+  };
+  return JSON.stringify(payload, null, 2);
 }
 
 // src/cli/commands/scan.ts
 function createScanCommand() {
-  const cmd = new Command("scan").description("Scan code changes for trust issues").argument("[files...]", "Specific files to scan").option("--staged", "Scan only git staged files").option("--diff <ref>", "Scan diff against a git ref (e.g. HEAD~1, origin/main)").option("--format <format>", "Output format: terminal, json", "terminal").option("--min-score <score>", "Minimum trust score threshold", "0").action(async (files, opts) => {
+  const cmd = new Command("scan").description("Run the primary live trust analysis command").argument("[files...]", "Specific files to scan").option("--staged", "Scan only git staged files").option("--diff <ref>", "Scan diff against a git ref (e.g. HEAD~1, origin/main)").option("--format <format>", "Output format: terminal, json", "terminal").option("--min-score <score>", "Minimum trust score threshold", "0").action(async (files, opts) => {
     try {
       const config = await loadConfig();
       const engine = new ScanEngine(config);
@@ -3308,7 +3604,7 @@ function createScanCommand() {
 // src/cli/commands/report.ts
 import { Command as Command2 } from "commander";
 function createReportCommand() {
-  const cmd = new Command2("report").description("Generate a trust report for recent changes").option("--json", "Output as JSON").option("--diff <ref>", "Diff against a git ref", "HEAD~1").action(async (opts) => {
+  const cmd = new Command2("report").description("Render a report for a diff-based scan (transitional wrapper around scan)").option("--json", "Output as JSON").option("--diff <ref>", "Diff against a git ref for report presentation", "HEAD~1").action(async (opts) => {
     try {
       const config = await loadConfig();
       const engine = new ScanEngine(config);
@@ -3332,14 +3628,14 @@ function createReportCommand() {
 
 // src/cli/commands/init.ts
 import { writeFile } from "fs/promises";
-import { existsSync as existsSync4 } from "fs";
+import { existsSync as existsSync3 } from "fs";
 import { resolve as resolve3 } from "path";
 import { Command as Command3 } from "commander";
 import pc2 from "picocolors";
 function createInitCommand() {
   const cmd = new Command3("init").description("Initialize CodeTrust configuration file").action(async () => {
     const configPath = resolve3(".codetrust.yml");
-    if (existsSync4(configPath)) {
+    if (existsSync3(configPath)) {
       console.log(pc2.yellow("\u26A0\uFE0F  .codetrust.yml already exists. Skipping."));
       return;
     }
@@ -3413,7 +3709,7 @@ function formatSeverity2(severity) {
 
 // src/cli/commands/hook.ts
 import { writeFile as writeFile2, chmod, mkdir } from "fs/promises";
-import { existsSync as existsSync5 } from "fs";
+import { existsSync as existsSync4 } from "fs";
 import { resolve as resolve4, join as join2 } from "path";
 import { Command as Command5 } from "commander";
 import pc4 from "picocolors";
@@ -3430,17 +3726,17 @@ function createHookCommand() {
   const cmd = new Command5("hook").description("Manage git hooks");
   cmd.command("install").description("Install pre-commit hook").action(async () => {
     const gitDir = resolve4(".git");
-    if (!existsSync5(gitDir)) {
+    if (!existsSync4(gitDir)) {
       console.error(pc4.red("Error: Not a git repository."));
       process.exit(1);
     }
     const hooksDir = join2(gitDir, "hooks");
     const hookPath = join2(hooksDir, "pre-commit");
     try {
-      if (!existsSync5(hooksDir)) {
+      if (!existsSync4(hooksDir)) {
         await mkdir(hooksDir, { recursive: true });
       }
-      if (existsSync5(hookPath)) {
+      if (existsSync4(hookPath)) {
         console.log(pc4.yellow("\u26A0\uFE0F  pre-commit hook already exists. Skipping."));
         console.log(pc4.dim("   Remove .git/hooks/pre-commit to reinstall."));
         return;
@@ -3460,19 +3756,238 @@ function createHookCommand() {
   return cmd;
 }
 
+// src/cli/commands/fix.ts
+import { Command as Command6 } from "commander";
+
+// src/core/fix-engine.ts
+import { readFileSync as readFileSync2, writeFileSync } from "fs";
+import pc5 from "picocolors";
+var FixEngine = class {
+  ruleEngine;
+  constructor(config) {
+    this.ruleEngine = new RuleEngine(config);
+  }
+  /**
+   * Fix issues in files. Returns results per file.
+   * Uses text range replacement to preserve formatting.
+   * Applies fixes iteratively (up to maxIterations) to handle cascading issues.
+   */
+  async fix(options) {
+    const results = [];
+    const maxIter = options.maxIterations ?? 10;
+    for (const filePath of options.files) {
+      const result = this.fixFile(filePath, options.dryRun ?? true, options.ruleId, maxIter);
+      if (result.applied > 0 || result.skipped > 0) {
+        results.push(result);
+      }
+    }
+    return results;
+  }
+  fixFile(filePath, dryRun, ruleId, maxIter) {
+    const result = {
+      file: filePath,
+      applied: 0,
+      skipped: 0,
+      details: []
+    };
+    let content;
+    try {
+      content = readFileSync2(filePath, "utf-8");
+    } catch {
+      return result;
+    }
+    for (let iter = 0; iter < maxIter; iter++) {
+      const context = {
+        filePath,
+        fileContent: content,
+        addedLines: []
+      };
+      let issues = this.ruleEngine.run(context);
+      if (ruleId) {
+        issues = issues.filter((i) => i.ruleId === ruleId);
+      }
+      const fixableRules = this.ruleEngine.getRules().filter((r) => r.fixable && r.fix);
+      const fixableRuleMap = new Map(fixableRules.map((r) => [r.id, r]));
+      const fixesWithIssues = [];
+      for (const issue of issues) {
+        const rule = fixableRuleMap.get(issue.ruleId);
+        if (!rule || !rule.fix) continue;
+        const fix = rule.fix(context, issue);
+        if (fix) {
+          fixesWithIssues.push({ fix, issue });
+        }
+      }
+      if (fixesWithIssues.length === 0) break;
+      fixesWithIssues.sort((a, b) => b.fix.range[0] - a.fix.range[0]);
+      const nonConflicting = [];
+      for (const item of fixesWithIssues) {
+        const hasConflict = nonConflicting.some(
+          (existing) => item.fix.range[0] < existing.fix.range[1] && item.fix.range[1] > existing.fix.range[0]
+        );
+        if (hasConflict) {
+          result.skipped++;
+          result.details.push({
+            ruleId: item.issue.ruleId,
+            line: item.issue.startLine,
+            message: item.issue.message,
+            status: "conflict"
+          });
+        } else {
+          nonConflicting.push(item);
+        }
+      }
+      if (nonConflicting.length === 0) break;
+      let newContent = content;
+      for (const { fix, issue } of nonConflicting) {
+        const before = newContent.slice(0, fix.range[0]);
+        const after = newContent.slice(fix.range[1]);
+        newContent = before + fix.text + after;
+        result.applied++;
+        result.details.push({
+          ruleId: issue.ruleId,
+          line: issue.startLine,
+          message: issue.message,
+          status: "applied"
+        });
+      }
+      content = newContent;
+      if (nonConflicting.length === 0) break;
+    }
+    if (!dryRun && result.applied > 0) {
+      writeFileSync(filePath, content, "utf-8");
+    }
+    return result;
+  }
+  /**
+   * Format fix results for terminal output.
+   */
+  static formatResults(results, dryRun) {
+    if (results.length === 0) {
+      return pc5.green(t("No fixable issues found.", "\u672A\u53D1\u73B0\u53EF\u4FEE\u590D\u7684\u95EE\u9898\u3002"));
+    }
+    const lines = [];
+    const modeLabel = dryRun ? pc5.yellow(t("[DRY RUN]", "[\u9884\u6F14\u6A21\u5F0F]")) : pc5.green(t("[APPLIED]", "[\u5DF2\u5E94\u7528]"));
+    lines.push(`
+${modeLabel} ${t("Fix Results:", "\u4FEE\u590D\u7ED3\u679C\uFF1A")}
+`);
+    let totalApplied = 0;
+    let totalSkipped = 0;
+    for (const result of results) {
+      lines.push(pc5.bold(pc5.underline(result.file)));
+      for (const detail of result.details) {
+        const icon = detail.status === "applied" ? pc5.green("\u2713") : detail.status === "conflict" ? pc5.yellow("\u26A0") : pc5.dim("\u2013");
+        const lineRef = pc5.dim(`L${detail.line}`);
+        const ruleRef = pc5.cyan(detail.ruleId);
+        lines.push(`  ${icon} ${lineRef} ${ruleRef} ${detail.message}`);
+      }
+      totalApplied += result.applied;
+      totalSkipped += result.skipped;
+      lines.push("");
+    }
+    lines.push(
+      pc5.bold(
+        t(
+          `${totalApplied} fix(es) ${dryRun ? "would be" : ""} applied, ${totalSkipped} skipped`,
+          `${totalApplied} \u4E2A\u4FEE\u590D${dryRun ? "\u5C06\u88AB" : "\u5DF2"}\u5E94\u7528\uFF0C${totalSkipped} \u4E2A\u8DF3\u8FC7`
+        )
+      )
+    );
+    if (dryRun) {
+      lines.push(
+        pc5.dim(
+          t(
+            "Run without --dry-run to apply fixes.",
+            "\u79FB\u9664 --dry-run \u4EE5\u5E94\u7528\u4FEE\u590D\u3002"
+          )
+        )
+      );
+    }
+    return lines.join("\n");
+  }
+};
+
+// src/cli/commands/fix.ts
+import { resolve as resolve5 } from "path";
+import { readdirSync, statSync } from "fs";
+function collectFiles(dir) {
+  const ignorePatterns = ["node_modules", "dist", ".git", "coverage", ".next", "build"];
+  const results = [];
+  function walk(d) {
+    const entries = readdirSync(d, { withFileTypes: true });
+    for (const entry of entries) {
+      if (ignorePatterns.includes(entry.name)) continue;
+      const fullPath = resolve5(d, entry.name);
+      if (entry.isDirectory()) {
+        walk(fullPath);
+      } else if (/\.(ts|tsx|js|jsx)$/.test(entry.name)) {
+        results.push(fullPath);
+      }
+    }
+  }
+  walk(dir);
+  return results;
+}
+function createFixCommand() {
+  const cmd = new Command6("fix").description("Auto-fix issues in source files").argument("[files...]", "Specific files or directories to fix (default: src/)").option("--dry-run", "Preview fixes without applying them (default)", true).option("--apply", "Actually apply the fixes").option("--rule <ruleId>", "Only fix issues from a specific rule").action(async (files, opts) => {
+    try {
+      const config = await loadConfig();
+      const engine = new FixEngine(config);
+      let targetFiles;
+      if (files.length > 0) {
+        targetFiles = [];
+        for (const f of files) {
+          const resolved = resolve5(f);
+          try {
+            const stat = statSync(resolved);
+            if (stat.isDirectory()) {
+              targetFiles.push(...collectFiles(resolved));
+            } else {
+              targetFiles.push(resolved);
+            }
+          } catch {
+            console.error(`File not found: ${f}`);
+          }
+        }
+      } else {
+        targetFiles = collectFiles(resolve5("src"));
+      }
+      if (targetFiles.length === 0) {
+        console.log("No files to fix.");
+        return;
+      }
+      const dryRun = !opts.apply;
+      const results = await engine.fix({
+        files: targetFiles,
+        dryRun,
+        ruleId: opts.rule
+      });
+      console.log(FixEngine.formatResults(results, dryRun));
+    } catch (err) {
+      if (err instanceof Error) {
+        console.error(`Error: ${err.message}`);
+      } else {
+        console.error("An unexpected error occurred");
+      }
+      process.exit(1);
+    }
+  });
+  return cmd;
+}
+
 // src/cli/index.ts
-import { readFileSync as readFileSync2 } from "fs";
+import { readFileSync as readFileSync3 } from "fs";
 import { fileURLToPath as fileURLToPath2 } from "url";
-import { dirname as dirname4, resolve as resolve5 } from "path";
+import { dirname as dirname4, resolve as resolve6 } from "path";
 var __filename2 = fileURLToPath2(import.meta.url);
 var __dirname2 = dirname4(__filename2);
-var pkg = JSON.parse(readFileSync2(resolve5(__dirname2, "../../package.json"), "utf-8"));
-var program = new Command6();
+var pkg = JSON.parse(readFileSync3(resolve6(__dirname2, "../../package.json"), "utf-8"));
+var program = new Command7();
 program.name("codetrust").description("AI code trust verification tool \u2014 verify AI-generated code with deterministic algorithms").version(pkg.version);
 program.addCommand(createScanCommand());
 program.addCommand(createReportCommand());
 program.addCommand(createInitCommand());
 program.addCommand(createRulesCommand());
 program.addCommand(createHookCommand());
+program.addCommand(createFixCommand());
 program.parse();
 //# sourceMappingURL=index.js.map