@hivehub/rulebook 3.4.2 → 4.0.0

package/.claude/commands/continue.md

@@ -0,0 +1,33 @@
+---
+name: /continue
+id: continue
+category: Rulebook
+description: Update tasks.md, archive completed tasks, and continue implementation.
+---
+<!-- RULEBOOK:START -->
+**Steps**
+
+1. **Update tasks.md for all active tasks**:
+   - Mark completed items as `[x]` in every active `tasks.md`
+   - Remove or update items that are no longer relevant
+
+2. **Archive fully completed tasks**:
+   For each task where ALL items are `[x]`:
+   ```bash
+   rulebook task archive <task-id>
+   ```
+
+3. **Get current session context**:
+   ```bash
+   rulebook continue
+   ```
+   Use this output to understand what's pending and what was done.
+
+4. **Continue implementation**:
+   - Pick the next pending task from the context above
+   - Work through its `tasks.md` checklist item by item
+   - Follow priority order: tests → coverage → update tasks.md → commit
+
+**Reference**
+- See `/.rulebook/specs/RULEBOOK.md` for complete task management guidelines
+<!-- RULEBOOK:END -->

package/.claude-plugin/marketplace.json

@@ -1,29 +1,28 @@
-{
-  "name": "hivehub-marketplace",
-  "owner": {
-    "name": "HiveLLM Team",
-    "email": "support@hivellm.com",
-    "url": "https://github.com/hivellm"
-  },
-  "plugins": [
-    {
-      "name": "rulebook",
-      "source": ".",
-      "description": "Standardize AI-generated projects with skills, templates, persistent memory, and quality gates. Supports 28 languages, 17 frameworks, 13 MCP modules, and 20 services.",
-      "version": "3.4.2",
-      "repository": "https://github.com/hivellm/rulebook",
-      "homepage": "https://github.com/hivellm/rulebook#readme",
-      "keywords": [
-        "ai",
-        "automation",
-        "templates",
-        "standards",
-        "skills",
-        "mcp",
-        "task-management",
-        "quality-gates"
-      ]
-    }
-  ]
-}
-
+{
+  "name": "hivehub-marketplace",
+  "owner": {
+    "name": "HiveLLM Team",
+    "email": "support@hivellm.com",
+    "url": "https://github.com/hivellm"
+  },
+  "plugins": [
+    {
+      "name": "rulebook",
+      "source": ".",
+      "description": "Standardize AI-generated projects with skills, templates, persistent memory, and quality gates. Supports 28 languages, 17 frameworks, 13 MCP modules, and 20 services.",
+      "version": "4.0.0",
+      "repository": "https://github.com/hivellm/rulebook",
+      "homepage": "https://github.com/hivellm/rulebook#readme",
+      "keywords": [
+        "ai",
+        "automation",
+        "templates",
+        "standards",
+        "skills",
+        "mcp",
+        "task-management",
+        "quality-gates"
+      ]
+    }
+  ]
+}

package/.claude-plugin/plugin.json

@@ -1,8 +1,8 @@
-{
-  "name": "rulebook",
-  "description": "Standardize AI-generated projects with Ralph autonomous loop, persistent memory, and quality gates. Supports 28 languages, 17 frameworks, 13 MCP modules, and 20 services.",
-  "version": "3.4.2",
-  "author": {
-    "name": "HiveLLM"
-  }
-}
+{
+  "name": "rulebook",
+  "description": "Standardize AI-generated projects with Ralph autonomous loop, persistent memory, and quality gates. Supports 28 languages, 17 frameworks, 13 MCP modules, and 20 services.",
+  "version": "4.0.0",
+  "author": {
+    "name": "HiveLLM"
+  }
+}

package/README.md

@@ -35,14 +35,14 @@ By giving LLMs a clear "rulebook" to follow, you ensure that every piece of gene
 ## Quick Start
 
 ```bash
-# New project (interactive)
+# New project — auto-detects languages, frameworks, services (no prompts)
 npx @hivehub/rulebook@latest init
 
 # Minimal setup (essentials only)
 npx @hivehub/rulebook@latest init --minimal
 
-# Light mode (prototypes without strict rules)
-npx @hivehub/rulebook@latest init --light
+# Lean mode — AGENTS.md as <3KB index (fast AI loading)
+npx @hivehub/rulebook@latest init --lean
 
 # Update existing project
 npx @hivehub/rulebook@latest update
@@ -50,148 +50,36 @@ npx @hivehub/rulebook@latest update
 
 ## What's New
 
-### v3.1.0
+See the full [CHANGELOG](CHANGELOG.md) for details.
 
-- 🤖 **Ralph Autonomous Loop Integration**: Multi-iteration AI agent task solving with fresh context per iteration
-  - Autonomous iteration loop with configurable max iterations
-  - Fresh context per iteration to avoid context window exhaustion
-  - Quality gates: type-check, lint, tests, coverage verification
-  - Detailed iteration tracking with history and metrics
-  - PRD (Product Requirements Document) generation from rulebook tasks
-  - 6 CLI commands: `rulebook ralph init|run|status|history|pause|resume`
-  - 4 MCP tools: `rulebook_ralph_init|run|status|get_iteration_history`
-  - Graceful pause/resume capabilities for long-running loops
-  - Automatic directory migration from old structure to new `.rulebook/` layout
-- 📁 **Consolidated Directory Structure**: Single `.rulebook/` directory for all rulebook data
-  - `memory/` subdirectory for persistent memory system
-  - `ralph/` subdirectory for autonomous loop state and history
-  - Automatic migration from `rulebook/`, `.rulebook-memory/`, and `.rulebook-ralph/` during `init` and `update`
-- 📖 **Comprehensive Ralph Documentation**: 450+ lines of guides, examples, and best practices
-  - Complete Ralph usage guide with task sizing guidelines
-  - Configuration reference and MCP integration examples
-  - Real-world workflows and troubleshooting strategies
-
-### v3.0.0
-
-- 🧠 **Persistent Memory System**: Zero-dependency persistent context across AI sessions
-  - Hybrid search: BM25 keyword + HNSW vector with Reciprocal Rank Fusion
-  - TF-IDF embeddings with FNV1a feature hashing (256-dim, pure TypeScript)
-  - SQLite persistence via sql.js WASM (zero native compilation)
-  - LRU cache eviction (500MB default, protects decision memories)
-  - Privacy filter: auto-redacts `<private>...</private>` tags
-  - 7 memory types: bugfix, feature, refactor, decision, discovery, change, observation
-  - 6 MCP tools + 6 CLI commands for complete memory management
-- 🧩 **119 Skills with YAML Frontmatter**: All 106 legacy templates converted to proper SKILL.md format
-  - 28 languages, 17 frameworks, 13 modules, 20 services, 8 IDEs, 15 CLI, 5 core + git/hooks
-- 🔌 **Claude Code Commands**: Memory + task commands auto-installed to `.claude/commands/`
-- 🔧 **Update Preserves Config**: `rulebook update` no longer resets custom `.rulebook` fields (memory, skills, timeouts, etc.)
-- 🛡️ **MCP Config Safety**: `.mcp.json` entry preserved if already configured (no more overwriting)
-
-### v2.1.0
-
-- 🔒 **Claude Code Critical Directives**: New mandatory rules for Claude Code CLI
-  - **Sequential File Editing**: Files must be edited one at a time to prevent failures from parallel edits
-  - **Complete Test Implementation**: Strict rules against simplifying tests, placeholder assertions, or skipping test cases
-  - Updated `CLAUDE.md` generation with comprehensive guidelines and examples
-- 🪟 **Windows Test Suite Fix**: Tests no longer hang on Windows (705 tests passing, 11x faster)
-
-### v2.0.0
-
-- 🧩 **Skills System**: New modular skills architecture for AI-assisted development
-  - Skills are YAML-frontmatter Markdown files with enable/disable functionality
-  - 10 skill categories: languages, frameworks, modules, services, workflows, ides, core, cli, git, hooks
-  - Auto-detection of skills based on project configuration
-  - CLI commands: `rulebook skill list|add|remove|show|search`
-  - MCP functions: `rulebook_skill_list|show|enable|disable|search|validate`
-- 🤖 **AI CLI Configuration Files**: Auto-generated files for AI CLI tools
-  - `CLAUDE.md` - Claude Code CLI configuration
-  - `CODEX.md` - OpenAI Codex CLI configuration
-  - `GEMINI.md` - Google Gemini CLI configuration
-  - `gemini-extension.json` - Gemini CLI extension manifest
-- 🔌 **Claude Code Plugin**: `marketplace.json` + `.claude-plugin/` structure for marketplace distribution
-  - `marketplace.json` - Marketplace manifest for plugin discovery
-  - Plugin manifest, MCP configuration, slash commands, and skills
-
-### v1.1.5
-
-- 🗄️ **Service Integration Templates**: Added comprehensive service integration templates
-  - 20 service templates: PostgreSQL, MySQL, MariaDB, SQL Server, Oracle, SQLite, MongoDB, Cassandra, DynamoDB, Redis, Memcached, Elasticsearch, Neo4j, InfluxDB, RabbitMQ, Kafka, S3, Azure Blob, GCS, MinIO
-  - Automatic service detection from `package.json`, `.env`, and `docker-compose.yml`
-  - Service-specific integration instructions with connection setup, operations, best practices, and configuration
-  - Templates generated in `/rulebook/[SERVICE].md` with references in `AGENTS.md`
-  - Interactive CLI prompt to select which services to include templates for
-
-### v1.1.4
-
-- 🔧 **Cross-platform Git Hooks**: Git hooks now work on both Windows and Linux
-  - Hooks are now generated as Node.js scripts with shell wrappers
-  - Shell wrapper detects Node.js in common locations (Windows and Linux)
-  - Node.js scripts use native `child_process.spawn` for cross-platform command execution
-  - Pre-commit and pre-push hooks now function correctly on Windows (Git Bash) and Linux
-- 🔄 **Git Hooks Architecture**: Refactored hook generation system
-  - Hooks are now generated as two files: shell wrapper + Node.js script
-  - Shell templates (`.sh`) are automatically converted to Node.js scripts
-  - Improved command parsing from shell templates to Node.js
-  - Better error handling and cross-platform compatibility
-
-### v1.1.3
-
-- 🗑️ **MCP Tool: `rulebook_task_delete`**: Delete tasks permanently
-  - New tool to permanently delete tasks from the filesystem
-  - Removes task directory recursively
-  - Useful for cleaning up test tasks or removing unwanted tasks
-  - Total of 7 MCP functions now available
-
-### v1.1.2
-
-- 🔧 **ESLint v9 Migration**: Updated to ESLint flat config format
-  - Migrated from `.eslintrc.json` to `eslint.config.js`
-  - Updated to ESLint 9.37.0 with TypeScript ESLint 8.47.0
-  - Added proper Node.js global type definitions
-  - Linting now shows only errors (warnings suppressed with `--quiet`)
-
-### v1.0.3
-
-- 🔧 **Zod v3 Compatibility**: Using Zod v3.25.76 for full MCP SDK compatibility
-  - MCP SDK v1.22.0 requires Zod v3 (see [Issue #1429](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1429))
-  - Will upgrade to Zod v4 when MCP SDK officially supports it
-- 🔄 **Dependency Updates**: All dependencies updated to latest versions
-  - TypeScript tooling (ESLint 8.47.0, Vitest 4.0.13)
-  - Node.js types updated to support Node.js 24.x
-  - CLI tools and build utilities updated
-- 🐛 **Windows CI Fix**: Fixed PowerShell compatibility in GitHub Actions workflows
-  - Removed bash-specific syntax from Windows runners
-  - Cross-platform compatibility improved
-
-### v1.0.2
-
-- 🔌 **MCP Server for Task Management**: New MCP server enables AI models to manage tasks programmatically
-  - 7 MCP functions: create, list, show, update, validate, archive, delete tasks
-  - Available via `npx @hivellm/rulebook@latest mcp-server` or `npx rulebook-mcp`
-  - Better integration with MCP-compatible AI assistants
-- ⚡ **Faster Pre-commit Hooks**: Tests removed from pre-commit for faster backup commits
-  - Pre-commit now runs only: format check, lint, type-check
-  - Tests moved to pre-push hook for comprehensive validation
-- 🏗️ **Build Verification**: Build check now mandatory before push (runs first)
-- 📦 **pnpm Recommendation**: Added pnpm as preferred package manager with `.npmrc` configuration
-- 🚀 **Rust Build Optimization**: Comprehensive guide for faster Rust builds
-  - sccache configuration, incremental compilation, lld linker
-  - Anti-pattern documentation for `pub use big_crate::*;`
-- 📋 **Enhanced Task Management**: Strengthened OpenSpec format compliance and archiving rules
-- 📁 **Strict Markdown Organization**: UPPERCASE naming and `/docs` directory requirements
-
-### v1.0.0
-
-- 🎉 **First Stable Release**: Production-ready with comprehensive features
-- 🔒 **Apache 2.0 License**: Changed from MIT to Apache License 2.0 for better compatibility
-- 🛡️ **Git Hooks Enforcement**: Pre-commit and pre-push hooks now block commits with lint/test errors
-- 📋 **Task File Structure Rules**: Enhanced directives in AGENTS.md about correct task structure
-- 🎯 **Built-in Task Management**: OpenSpec deprecated and integrated into Rulebook's native task system
-- 📋 **RULEBOOK.md Template**: Core template with task management directives and Context7 MCP requirements
-- 🚫 **Automatic .gitignore**: `npx @hivellm/rulebook@latest init` now creates/updates `.gitignore` automatically for 28 languages
-- 🔄 **Migration Support**: Existing OpenSpec tasks automatically migrated to `/.rulebook/tasks/` format
-
-> **Breaking Change**: OpenSpec module removed. Use `npx @hivellm/rulebook@latest task` commands instead. See [Migration Guide](docs/guides/OPENSPEC_MIGRATION.md).
+### v4.0.0 — AI-first DX & Ralph maturity
+
+- 🚀 **Zero-prompt `init`**: auto-configures from detection, no questionnaires
+- 🛡️ **AGENTS.override.md**: project rules that survive every update
+- 📊 **Health Scorer v2**: 9-category scoring with letter grade A–F
+- 🤖 **Ralph v2**: parallel execution, plan checkpoint, context compression, security gate, GitHub Issues import
+- 🐳 **Container + Observability**: Docker, K8s, Helm, Sentry, OTel, Datadog, Pino, Winston, Prometheus
+- 🛠️ **Multi-tool**: Gemini CLI, Continue.dev, Windsurf, Copilot configs auto-generated
+- 🔍 **AI Code Review**: `rulebook review` + GitHub Actions workflow
+- 👥 **Multi-agent teams**: Claude Code agent definitions + team auto-configuration
+
+### v3.0.0 — Persistent Memory & Skills
+
+- 🧠 **Persistent Memory**: zero-dependency BM25+HNSW hybrid search, SQLite/WASM, 7 memory types
+- 🧩 **Skills System**: 244 skills across 10 categories with auto-detection and YAML frontmatter
+- 🤖 **Ralph Autonomous Loop**: multi-iteration AI agent with quality gates, PRD, pause/resume
+
+### v2.0.0 — Multi-tool & MCP
+
+- 🔌 **MCP Server**: 19 functions for task management, skills, and memory
+- 🤖 **AI CLI configs**: CLAUDE.md, CODEX.md, GEMINI.md auto-generated
+- 🧩 **Skills**: modular enable/disable architecture
+
+### v1.0.0 — Foundation
+
+- 📋 **Task management**: OpenSpec-compatible format with full lifecycle
+- 🛡️ **Git hooks**: pre-commit (format, lint, type-check) + pre-push (build, tests)
+- 🌍 **28 languages, 17 frameworks**, auto-detection with confidence scores
 
 ---
 

package/dist/agents/ralph-parser.d.ts

@@ -10,11 +10,28 @@ export declare class RalphParser {
     static parseAgentOutput(agentOutput: string, iterationNum: number, taskId: string, taskTitle: string, tool: 'claude' | 'amp' | 'gemini'): IterationResult;
     /**
      * Extract quality check results from agent output.
-     * Uses line-level matching to avoid false positives from global keyword presence.
+     * Uses structured count-based detection to avoid false positives.
+     * "0 errors" / "no errors" are treated as success, not failure.
      * Note: In MCP ralph_run, real quality gates are determined by actual command exit codes,
      * not this parser. This is a best-effort extraction for standalone parsing.
      */
     private static extractQualityChecks;
+    /**
+     * Parse lint error count from ESLint output.
+     * Returns 0 if no error count found (treat as passing).
+     */
+    private static parseLintErrorCount;
+    /**
+     * Parse test failure count from vitest/jest output.
+     * Returns 0 if no failure count found (treat as passing).
+     */
+    private static parseTestFailCount;
+    /**
+     * Parse real coverage percentage from test runner output.
+     * Supports vitest table format and jest/c8 line format.
+     * Returns null if coverage cannot be determined.
+     */
+    static parseCoveragePercentage(output: string): number | null;
     /**
      * Helper: Check if a single line contains percentage >= threshold
      */
@@ -47,5 +64,28 @@ export declare class RalphParser {
      * Check if iteration completion is detected
      */
     private static isCompletionDetected;
+    /**
+     * Parse `npm audit --json` output.
+     * Returns the highest severity found: 'critical' | 'high' | 'moderate' | 'low' | 'none'
+     */
+    static parseNpmAuditSeverity(jsonOutput: string): 'critical' | 'high' | 'moderate' | 'low' | 'none';
+    /**
+     * Parse text-based security tool output (trivy, semgrep, or npm audit without --json).
+     * Returns the highest severity found: 'critical' | 'high' | 'moderate' | 'low' | 'none'
+     */
+    static parseSecurityOutputText(output: string): 'critical' | 'high' | 'moderate' | 'low' | 'none';
+    /**
+     * Parse trivy JSON output (`trivy fs --format json`) for the highest severity found.
+     */
+    static parseTrivySeverity(jsonOutput: string): 'critical' | 'high' | 'moderate' | 'low' | 'none';
+    /**
+     * Parse semgrep JSON output (`semgrep --json`) for the highest severity found.
+     */
+    static parseSemgrepSeverity(jsonOutput: string): 'critical' | 'high' | 'moderate' | 'low' | 'none';
+    /**
+     * Determine if a security gate passes given the found severity and the configured failOn threshold.
+     * Severity order: none < low < moderate < high < critical
+     */
+    static securityGatePasses(foundSeverity: 'critical' | 'high' | 'moderate' | 'low' | 'none', failOn: 'critical' | 'high' | 'moderate' | 'low'): boolean;
 }
 //# sourceMappingURL=ralph-parser.d.ts.map

package/dist/agents/ralph-parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ralph-parser.d.ts","sourceRoot":"","sources":["../../src/agents/ralph-parser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C;;;GAGG;AACH,qBAAa,WAAW;IACtB;;OAEG;IACH,MAAM,CAAC,gBAAgB,CACrB,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAChC,eAAe;IA4ClB;;;;;OAKG;IACH,OAAO,CAAC,MAAM,CAAC,oBAAoB;IAmDnC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,sBAAsB;IAYrC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAwB9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IA4B/B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,aAAa;IA4B5B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAa/B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAiB9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAiB/B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,oBAAoB;CAcpC"}
+{"version":3,"file":"ralph-parser.d.ts","sourceRoot":"","sources":["../../src/agents/ralph-parser.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C;;;GAGG;AACH,qBAAa,WAAW;IACtB;;OAEG;IACH,MAAM,CAAC,gBAAgB,CACrB,WAAW,EAAE,MAAM,EACnB,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAChC,eAAe;IA4ClB;;;;;;OAMG;IACH,OAAO,CAAC,MAAM,CAAC,oBAAoB;IA2EnC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,mBAAmB;IAgBlC;;;OAGG;IACH,OAAO,CAAC,MAAM,CAAC,kBAAkB;IAgBjC;;;;OAIG;IACH,MAAM,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IA4B7D;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,sBAAsB;IAYrC;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAwB9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IA4B/B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,aAAa;IA4B5B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAa/B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,eAAe;IAiB9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,gBAAgB;IAiB/B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,oBAAoB;IAenC;;;OAGG;IACH,MAAM,CAAC,qBAAqB,CAC1B,UAAU,EAAE,MAAM,GACjB,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM;IAoBpD;;;OAGG;IACH,MAAM,CAAC,uBAAuB,CAC5B,MAAM,EAAE,MAAM,GACb,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM;IASpD;;OAEG;IACH,MAAM,CAAC,kBAAkB,CAAC,UAAU,EAAE,MAAM,GAAG,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM;IAoBhG;;OAEG;IACH,MAAM,CAAC,oBAAoB,CACzB,UAAU,EAAE,MAAM,GACjB,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM;IAyBpD;;;OAGG;IACH,MAAM,CAAC,kBAAkB,CACvB,aAAa,EAAE,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAAG,MAAM,EAChE,MAAM,EAAE,UAAU,GAAG,MAAM,GAAG,UAAU,GAAG,KAAK,GAC/C,OAAO;CAMX"}

package/dist/agents/ralph-parser.js

@@ -43,29 +43,49 @@ export class RalphParser {
     }
     /**
      * Extract quality check results from agent output.
-     * Uses line-level matching to avoid false positives from global keyword presence.
+     * Uses structured count-based detection to avoid false positives.
+     * "0 errors" / "no errors" are treated as success, not failure.
      * Note: In MCP ralph_run, real quality gates are determined by actual command exit codes,
      * not this parser. This is a best-effort extraction for standalone parsing.
      */
     static extractQualityChecks(output) {
         const lines = output.split('\n').map((l) => l.toLowerCase().trim());
-        // Look for explicit pass/fail patterns on the SAME line as the gate keyword
-        const typeCheckPass = lines.some((l) => (l.includes('type-check') || l.includes('tsc')) &&
+        // Type-check: pass if no TypeScript error codes (error TS\d+) found
+        const tsErrorCount = (output.match(/error TS\d+/gi) ?? []).length;
+        const typeCheckExplicitPass = lines.some((l) => (l.includes('type-check') || l.includes('tsc')) &&
             (l.includes('pass') || l.includes('success') || l.includes('✓')) &&
-            !l.includes('fail') &&
-            !l.includes('error'));
-        const lintPass = lines.some((l) => (l.includes('eslint') || (l.includes('lint') && !l.includes('linting issues'))) &&
+            !l.includes('fail'));
+        const typeCheckPass = typeCheckExplicitPass || tsErrorCount === 0;
+        // Lint: parse "X problems (Y errors, Z warnings)" — fail only if errors > 0
+        // Also pass on "0 problems", "0 errors", "no problems", explicit pass
+        const lintErrorCount = this.parseLintErrorCount(lines);
+        const lintExplicitPass = lines.some((l) => (l.includes('eslint') || l.includes('lint')) &&
             (l.includes('pass') ||
                 l.includes('success') ||
                 l.includes('✓') ||
-                l.includes('0 problems')) &&
-            !l.includes('fail') &&
-            !l.includes('error'));
-        const testsPass = lines.some((l) => (l.includes('test') || l.includes('vitest') || l.includes('jest')) &&
-            (l.includes('pass') || l.includes('passed') || l.includes('✓') || l.includes('success')) &&
-            !l.includes('fail') &&
-            !l.includes('error'));
-        const coveragePass = lines.some((l) => l.includes('coverage') && this.lineHasPercentageAbove(l, 95)) ||
+                l.includes('0 problems') ||
+                l.includes('no problems')));
+        const lintExplicitFail = lines.some((l) => (l.includes('eslint') || l.includes('lint')) && l.includes('fail'));
+        const lintPass = lintExplicitFail ? false : lintExplicitPass || lintErrorCount === 0;
+        // Tests: parse "X failed" — fail only if count > 0
+        // "0 errors", "passing", "✓ X tests" are all success
+        const testFailCount = this.parseTestFailCount(lines);
+        const testExplicitPass = lines.some((l) => (l.includes('test') || l.includes('vitest') || l.includes('jest')) &&
+            (l.includes('pass') ||
+                l.includes('passed') ||
+                l.includes('✓') ||
+                l.includes('success') ||
+                l.includes('0 errors') ||
+                l.includes('no errors') ||
+                l.includes('0 failed')));
+        const testExplicitFail = lines.some((l) => (l.includes('test') || l.includes('vitest') || l.includes('jest')) &&
+            l.includes('fail') &&
+            !l.includes('0 fail'));
+        const testsPass = testExplicitFail ? false : testExplicitPass || testFailCount === 0;
+        // Coverage: parse actual percentage or explicit pass/fail
+        const covPct = this.parseCoveragePercentage(output);
+        const coveragePass = (covPct !== null && covPct >= 95) ||
+            lines.some((l) => l.includes('coverage') && this.lineHasPercentageAbove(l, 95)) ||
             lines.some((l) => l.includes('coverage') && (l.includes('pass') || l.includes('met') || l.includes('✓')));
         return {
             type_check: typeCheckPass,
@@ -74,6 +94,72 @@ export class RalphParser {
             coverage_met: coveragePass,
         };
     }
+    /**
+     * Parse lint error count from ESLint output.
+     * Returns 0 if no error count found (treat as passing).
+     */
+    static parseLintErrorCount(lines) {
+        for (const line of lines) {
+            // "X problems (Y errors, Z warnings)"
+            const problemsMatch = line.match(/(\d+)\s+problems?\s+\((\d+)\s+errors?/);
+            if (problemsMatch) {
+                return parseInt(problemsMatch[2], 10);
+            }
+            // "X error" standalone
+            const errorCountMatch = line.match(/^(\d+)\s+errors?$/);
+            if (errorCountMatch) {
+                return parseInt(errorCountMatch[1], 10);
+            }
+        }
+        return 0;
+    }
+    /**
+     * Parse test failure count from vitest/jest output.
+     * Returns 0 if no failure count found (treat as passing).
+     */
+    static parseTestFailCount(lines) {
+        for (const line of lines) {
+            // "X failed" — vitest/jest
+            const failMatch = line.match(/(\d+)\s+failed/);
+            if (failMatch) {
+                return parseInt(failMatch[1], 10);
+            }
+            // "Tests: X failed" — jest summary
+            const jestMatch = line.match(/tests:\s+(\d+)\s+failed/);
+            if (jestMatch) {
+                return parseInt(jestMatch[1], 10);
+            }
+        }
+        return 0;
+    }
+    /**
+     * Parse real coverage percentage from test runner output.
+     * Supports vitest table format and jest/c8 line format.
+     * Returns null if coverage cannot be determined.
+     */
+    static parseCoveragePercentage(output) {
+        // vitest/istanbul table: "All files | 87.50 | ..." or "All files | 87.50 |"
+        const vitestMatch = output.match(/all files\s*\|\s*(\d+(?:\.\d+)?)\s*\|/i);
+        if (vitestMatch) {
+            return parseFloat(vitestMatch[1]);
+        }
+        // jest: "Lines : 87.5%" or "Lines                : 87.5 %"
+        const jestLinesMatch = output.match(/lines\s*:\s*(\d+(?:\.\d+)?)\s*%/i);
+        if (jestLinesMatch) {
+            return parseFloat(jestLinesMatch[1]);
+        }
+        // c8/nyc: "% Lines  | 87.5"
+        const c8Match = output.match(/%\s*lines\s*\|\s*(\d+(?:\.\d+)?)/i);
+        if (c8Match) {
+            return parseFloat(c8Match[1]);
+        }
+        // Generic: "coverage: 87%" or "coverage 87.5%"
+        const genericMatch = output.match(/coverage[:\s]+(\d+(?:\.\d+)?)%/i);
+        if (genericMatch) {
+            return parseFloat(genericMatch[1]);
+        }
+        return null;
+    }
     /**
      * Helper: Check if a single line contains percentage >= threshold
      */
@@ -223,5 +309,107 @@ export class RalphParser {
         const lowerOutput = output.toLowerCase();
         return completionKeywords.some((kw) => lowerOutput.includes(kw));
     }
+    /**
+     * Parse `npm audit --json` output.
+     * Returns the highest severity found: 'critical' | 'high' | 'moderate' | 'low' | 'none'
+     */
+    static parseNpmAuditSeverity(jsonOutput) {
+        try {
+            const parsed = JSON.parse(jsonOutput);
+            const v = parsed?.metadata?.vulnerabilities;
+            if (!v)
+                return 'none';
+            if ((v.critical ?? 0) > 0)
+                return 'critical';
+            if ((v.high ?? 0) > 0)
+                return 'high';
+            if ((v.moderate ?? 0) > 0)
+                return 'moderate';
+            if ((v.low ?? 0) > 0)
+                return 'low';
+            return 'none';
+        }
+        catch {
+            // Not valid JSON — try text-based fallback
+            return this.parseSecurityOutputText(jsonOutput);
+        }
+    }
+    /**
+     * Parse text-based security tool output (trivy, semgrep, or npm audit without --json).
+     * Returns the highest severity found: 'critical' | 'high' | 'moderate' | 'low' | 'none'
+     */
+    static parseSecurityOutputText(output) {
+        const lower = output.toLowerCase();
+        if (lower.includes('critical'))
+            return 'critical';
+        if (lower.includes(' high'))
+            return 'high';
+        if (lower.includes('moderate'))
+            return 'moderate';
+        if (lower.includes(' low'))
+            return 'low';
+        return 'none';
+    }
+    /**
+     * Parse trivy JSON output (`trivy fs --format json`) for the highest severity found.
+     */
+    static parseTrivySeverity(jsonOutput) {
+        try {
+            const parsed = JSON.parse(jsonOutput);
+            const severities = (parsed.Results ?? [])
+                .flatMap((r) => r.Vulnerabilities ?? [])
+                .map((v) => (v.Severity ?? '').toLowerCase());
+            if (severities.includes('critical'))
+                return 'critical';
+            if (severities.includes('high'))
+                return 'high';
+            if (severities.includes('medium'))
+                return 'moderate'; // trivy uses MEDIUM
+            if (severities.includes('moderate'))
+                return 'moderate';
+            if (severities.includes('low'))
+                return 'low';
+            return 'none';
+        }
+        catch {
+            return this.parseSecurityOutputText(jsonOutput);
+        }
+    }
+    /**
+     * Parse semgrep JSON output (`semgrep --json`) for the highest severity found.
+     */
+    static parseSemgrepSeverity(jsonOutput) {
+        try {
+            const parsed = JSON.parse(jsonOutput);
+            const severities = (parsed.results ?? []).map((r) => {
+                const sev = (r.extra?.severity ?? r.extra?.metadata?.severity ?? '').toLowerCase();
+                return sev;
+            });
+            if (severities.includes('critical') || severities.includes('error'))
+                return 'high'; // semgrep ERROR ≈ high
+            if (severities.includes('high'))
+                return 'high';
+            if (severities.includes('warning') ||
+                severities.includes('medium') ||
+                severities.includes('moderate'))
+                return 'moderate';
+            if (severities.includes('info') || severities.includes('low'))
+                return 'low';
+            return severities.length > 0 ? 'low' : 'none';
+        }
+        catch {
+            return this.parseSecurityOutputText(jsonOutput);
+        }
+    }
+    /**
+     * Determine if a security gate passes given the found severity and the configured failOn threshold.
+     * Severity order: none < low < moderate < high < critical
+     */
+    static securityGatePasses(foundSeverity, failOn) {
+        const order = ['none', 'low', 'moderate', 'high', 'critical'];
+        const foundIdx = order.indexOf(foundSeverity);
+        const failIdx = order.indexOf(failOn);
+        return foundIdx < failIdx;
+    }
 }
 //# sourceMappingURL=ralph-parser.js.map