@hongmaple0820/scale-engine 0.9.0 → 0.10.1

package/dist/workflow/gates/GateSystem.js

@@ -0,0 +1,788 @@
+// SCALE Engine - Gate System
+// Quality gate system G0-G7.
+import { EvidenceStore } from '../EvidenceStore.js';
+import { detectVerificationCommands } from '../VerificationCommands.js';
+import { execa } from 'execa';
+import { createHash } from 'node:crypto';
+function tail(value, maxLength = 1000) {
+    return value.length > maxLength ? value.slice(-maxLength) : value;
+}
+function sha256(value) {
+    return createHash('sha256').update(value).digest('hex');
+}
+export async function runShellCommand(command, timeout) {
+    const start = Date.now();
+    const cwd = process.cwd();
+    try {
+        const result = await execa(command, {
+            shell: true,
+            timeout,
+            reject: false,
+            all: false,
+        });
+        return {
+            code: result.exitCode ?? 1,
+            stdout: result.stdout ?? '',
+            stderr: result.stderr ?? '',
+            durationMs: Date.now() - start,
+            startedAt: start,
+            endedAt: Date.now(),
+            cwd,
+        };
+    }
+    catch (error) {
+        return {
+            code: 1,
+            stdout: '',
+            stderr: error instanceof Error ? error.message : String(error),
+            durationMs: Date.now() - start,
+            startedAt: start,
+            endedAt: Date.now(),
+            cwd,
+        };
+    }
+}
+function createEvidence(input) {
+    return {
+        id: `EVID-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        ...input,
+    };
+}
+function textEvidence(items) {
+    return items.map(item => `${item.label}: ${item.detail}`).join('\n');
+}
+export class GateSystem {
+    constructor(eventBus, commandConfig = {}) {
+        this.gates = new Map();
+        this.results = new Map();
+        this.eventBus = eventBus;
+        this.evidenceStore = new EvidenceStore();
+        this.commands = detectVerificationCommands(process.cwd(), commandConfig);
+        this.registerDefaultGates();
+    }
+    registerGate(gate) {
+        this.gates.set(gate.stage, gate);
+    }
+    async executeGate(stage) {
+        const gate = this.gates.get(stage);
+        if (!gate) {
+            const evidenceItems = [
+                createEvidence({
+                    kind: 'manual',
+                    label: 'Gate registry',
+                    passed: false,
+                    detail: `Gate ${stage} is not registered`,
+                }),
+            ];
+            return {
+                gate: stage,
+                status: 'FAILED',
+                passed: false,
+                evidence: textEvidence(evidenceItems),
+                evidenceItems,
+                blockers: [],
+                durationMs: 0,
+            };
+        }
+        const start = Date.now();
+        try {
+            const result = await gate.execute();
+            result.durationMs = Date.now() - start;
+            this.results.set(stage, result);
+            this.persistEvidence(result);
+            this.eventBus.emit('gate.executed', { stage, passed: result.passed });
+            return result;
+        }
+        catch (e) {
+            const result = {
+                gate: stage,
+                status: 'FAILED',
+                passed: false,
+                evidence: `Gate execution failed: ${e}`,
+                evidenceItems: [
+                    createEvidence({
+                        kind: 'manual',
+                        label: 'Gate execution',
+                        passed: false,
+                        detail: String(e),
+                    }),
+                ],
+                blockers: [String(e)],
+                durationMs: Date.now() - start
+            };
+            this.results.set(stage, result);
+            this.persistEvidence(result);
+            return result;
+        }
+    }
+    persistEvidence(result) {
+        try {
+            const record = this.evidenceStore.saveGateResult(result);
+            result.evidenceRecordId = record.id;
+        }
+        catch {
+            // Evidence persistence must not mask the gate decision itself.
+        }
+    }
+    async executeAll(order = ['G0', 'G1', 'G2', 'G3', 'G4', 'G5', 'G6', 'G7']) {
+        const results = [];
+        for (const stage of order) {
+            const result = await this.executeGate(stage);
+            results.push(result);
+            if (!result.passed && stage !== 'G1' && stage !== 'G2') {
+                this.eventBus.emit('gate.blocked', { stage, blockers: result.blockers });
+                break;
+            }
+        }
+        return results;
+    }
+    getResult(stage) {
+        return this.results.get(stage);
+    }
+    getAllResults() {
+        return this.results;
+    }
+    registerDefaultGates() {
+        this.registerGate(new ExplorationGate());
+        this.registerGate(new PlanningGate());
+        this.registerGate(new TDDGate(this.commands.tddEvidence, this.commands.tddStrict));
+        this.registerGate(new BuildGate(this.commands.build));
+        this.registerGate(new LintGate(this.commands.lint));
+        this.registerGate(new TestGate(this.commands.test));
+        this.registerGate(new CoverageGate(this.commands.coverage));
+        this.registerGate(new SecurityGate());
+    }
+}
+function missingCommandResult(stage, label, command) {
+    const evidenceItems = [
+        createEvidence({
+            kind: 'command',
+            label,
+            passed: false,
+            detail: command.reason,
+        }),
+    ];
+    return {
+        gate: stage,
+        status: 'BLOCKED',
+        passed: false,
+        evidence: textEvidence(evidenceItems),
+        evidenceItems,
+        blockers: [command.reason],
+        durationMs: 0,
+    };
+}
+function commandEvidence(label, command, passed, commandResult, fallbackDetail = 'command did not complete') {
+    const output = commandResult ? `${commandResult.stdout}\n${commandResult.stderr}` : '';
+    return createEvidence({
+        kind: 'command',
+        label,
+        passed,
+        command: command.command,
+        exitCode: commandResult?.code,
+        durationMs: commandResult?.durationMs,
+        cwd: commandResult?.cwd,
+        startedAt: commandResult?.startedAt,
+        endedAt: commandResult?.endedAt,
+        stdoutTail: commandResult ? tail(commandResult.stdout) : undefined,
+        stderrTail: commandResult ? tail(commandResult.stderr) : undefined,
+        outputHash: output ? sha256(output) : undefined,
+        source: command.source,
+        detail: commandResult
+            ? `${command.reason}\n${tail(commandResult.stdout || commandResult.stderr || `exit code ${commandResult.code}`, 500)}`
+            : fallbackDetail,
+    });
+}
+export class ExplorationGate {
+    constructor() {
+        this.stage = 'G1';
+        this.name = 'Exploration';
+        this.description = 'Project knowledge file, knowledge graph, and contradiction analysis checks';
+        this.requiredLevel = 'M';
+    }
+    async execute() {
+        const blockers = [];
+        const knowledgeFile = await this.findKnowledgeFile();
+        if (!knowledgeFile) {
+            blockers.push('No project knowledge file found');
+        }
+        const hasKnowledgeGraph = await this.checkKnowledgeGraph();
+        const evidenceItems = [
+            createEvidence({
+                kind: 'file',
+                label: 'Project knowledge file',
+                passed: Boolean(knowledgeFile),
+                path: knowledgeFile ?? undefined,
+                detail: knowledgeFile ? `found ${knowledgeFile}` : 'missing AGENTS.md, CLAUDE.md, .cursorrules, and GEMINI.md',
+            }),
+            createEvidence({
+                kind: 'file',
+                label: 'Knowledge graph',
+                passed: hasKnowledgeGraph,
+                path: 'graphify-out/GRAPH_REPORT.md',
+                detail: hasKnowledgeGraph ? 'available' : 'not available',
+            }),
+        ];
+        const passed = blockers.length === 0;
+        return {
+            gate: this.stage,
+            status: passed ? 'PASSED' : 'BLOCKED',
+            passed,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers
+        };
+    }
+    async findKnowledgeFile() {
+        const fs = await import('fs/promises');
+        const candidates = ['AGENTS.md', 'CLAUDE.md', '.cursorrules', 'GEMINI.md'];
+        for (const candidate of candidates) {
+            try {
+                await fs.access(candidate);
+                return candidate;
+            }
+            catch {
+                // Try the next platform-specific knowledge file.
+            }
+        }
+        return null;
+    }
+    async checkKnowledgeGraph() {
+        try {
+            const fs = await import('fs/promises');
+            await fs.access('graphify-out/GRAPH_REPORT.md');
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+export class PlanningGate {
+    constructor() {
+        this.stage = 'G2';
+        this.name = 'Planning';
+        this.description = 'Mini-Spec or SDD planning artifact checks';
+        this.requiredLevel = 'L';
+    }
+    async execute() {
+        const blockers = [];
+        const hasSpec = await this.checkSpecDocument();
+        if (!hasSpec) {
+            blockers.push('Spec document not found');
+        }
+        const evidenceItems = [
+            createEvidence({
+                kind: 'file',
+                label: 'Spec document',
+                passed: hasSpec,
+                path: '.scale/specs',
+                detail: hasSpec ? 'spec directory contains at least one markdown spec' : 'missing spec directory or markdown spec',
+            }),
+        ];
+        const passed = blockers.length === 0;
+        return {
+            gate: this.stage,
+            status: passed ? 'PASSED' : 'BLOCKED',
+            passed,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers
+        };
+    }
+    async checkSpecDocument() {
+        try {
+            const fs = await import('fs/promises');
+            const specDir = '.scale/specs';
+            const entries = await fs.readdir(specDir);
+            return entries.some(entry => entry.endsWith('.md'));
+        }
+        catch {
+            return false;
+        }
+    }
+}
+export class TDDGate {
+    constructor(evidencePath, strict = false) {
+        this.evidencePath = evidencePath;
+        this.strict = strict;
+        this.stage = 'G3';
+        this.name = 'TDD';
+        this.description = 'RED -> GREEN -> REFACTOR evidence check';
+        this.requiredLevel = 'CRITICAL';
+    }
+    async execute() {
+        if (this.evidencePath) {
+            return this.verifyEvidenceFile(this.evidencePath);
+        }
+        const detail = this.strict
+            ? 'TDD evidence file is required in strict mode'
+            : 'TDD cycle not strictly verified; provide --tdd-evidence or use --tdd-strict to enforce';
+        const evidenceItems = [
+            createEvidence({
+                kind: 'manual',
+                label: 'TDD cycle',
+                passed: !this.strict,
+                detail,
+                source: 'tdd-gate',
+            }),
+        ];
+        return {
+            gate: this.stage,
+            status: this.strict ? 'BLOCKED' : 'PASSED',
+            passed: !this.strict,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers: this.strict ? [detail] : [],
+            durationMs: 0
+        };
+    }
+    async verifyEvidenceFile(path) {
+        const fs = await import('fs/promises');
+        const blockers = [];
+        let parsed;
+        let content = '';
+        try {
+            content = await fs.readFile(path, 'utf-8');
+            parsed = JSON.parse(content);
+        }
+        catch (error) {
+            blockers.push(`TDD evidence could not be read: ${error instanceof Error ? error.message : String(error)}`);
+        }
+        const evidence = parsed;
+        if (!blockers.length) {
+            if (evidence.red !== true)
+                blockers.push('TDD evidence missing red=true');
+            if (evidence.green !== true)
+                blockers.push('TDD evidence missing green=true');
+            if (evidence.refactor !== true)
+                blockers.push('TDD evidence missing refactor=true');
+            if (evidence.testFirst !== true)
+                blockers.push('TDD evidence missing testFirst=true');
+        }
+        const passed = blockers.length === 0;
+        const evidenceItems = [
+            createEvidence({
+                kind: 'file',
+                label: 'TDD evidence',
+                passed,
+                path,
+                detail: passed ? 'TDD evidence contains red/green/refactor/testFirst=true' : blockers.join('; '),
+                outputHash: content ? sha256(content) : undefined,
+                source: 'tdd-evidence',
+            }),
+        ];
+        return {
+            gate: this.stage,
+            status: passed ? 'PASSED' : 'BLOCKED',
+            passed,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers,
+            durationMs: 0,
+        };
+    }
+}
+export class BuildGate {
+    constructor(command) {
+        this.command = command;
+        this.stage = 'G0';
+        this.name = 'Build';
+        this.description = 'Run configured build or typecheck command';
+        this.requiredLevel = 'ALWAYS';
+    }
+    async execute() {
+        if (!this.command.command) {
+            return missingCommandResult(this.stage, 'Build command', this.command);
+        }
+        const blockers = [];
+        let commandResult = null;
+        try {
+            commandResult = await runShellCommand(this.command.command, 120000);
+            if (commandResult.code !== 0) {
+                blockers.push(`Build failed: ${commandResult.stderr}`);
+            }
+        }
+        catch (e) {
+            blockers.push(`Build execution failed: ${e}`);
+        }
+        const passed = blockers.length === 0;
+        const evidenceItems = [
+            commandEvidence('Build command', this.command, passed, commandResult),
+        ];
+        return {
+            gate: this.stage,
+            status: passed ? 'PASSED' : 'FAILED',
+            passed,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers
+        };
+    }
+}
+export class LintGate {
+    constructor(command) {
+        this.command = command;
+        this.stage = 'G4';
+        this.name = 'Lint';
+        this.description = 'Run configured lint command';
+        this.requiredLevel = 'ALWAYS';
+    }
+    async execute() {
+        if (!this.command.command) {
+            return missingCommandResult(this.stage, 'Lint command', this.command);
+        }
+        const blockers = [];
+        let commandResult = null;
+        try {
+            commandResult = await runShellCommand(this.command.command, 60000);
+            if (commandResult.code !== 0) {
+                blockers.push(`Lint failed: ${commandResult.stderr}`);
+            }
+        }
+        catch (e) {
+            blockers.push(`Lint execution failed: ${e}`);
+        }
+        const passed = blockers.length === 0;
+        const evidenceItems = [
+            commandEvidence('Lint command', this.command, passed, commandResult),
+        ];
+        return {
+            gate: this.stage,
+            status: passed ? 'PASSED' : 'FAILED',
+            passed,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers
+        };
+    }
+}
+export class TestGate {
+    constructor(command) {
+        this.command = command;
+        this.stage = 'G5';
+        this.name = 'Test';
+        this.description = 'Run configured test command';
+        this.requiredLevel = 'ALWAYS';
+    }
+    async execute() {
+        if (!this.command.command) {
+            return missingCommandResult(this.stage, 'Test command', this.command);
+        }
+        const blockers = [];
+        let commandResult = null;
+        try {
+            commandResult = await runShellCommand(this.command.command, 120000);
+            if (commandResult.code !== 0) {
+                blockers.push(`Tests failed: ${commandResult.stderr}`);
+            }
+        }
+        catch (e) {
+            blockers.push(`Test execution failed: ${e}`);
+        }
+        const passed = blockers.length === 0;
+        const evidenceItems = [
+            commandEvidence('Test command', this.command, passed, commandResult),
+        ];
+        return {
+            gate: this.stage,
+            status: passed ? 'PASSED' : 'FAILED',
+            passed,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers
+        };
+    }
+}
+export class CoverageGate {
+    constructor(command) {
+        this.command = command;
+        this.stage = 'G6';
+        this.name = 'Coverage';
+        this.description = 'Run configured coverage command';
+        this.requiredLevel = 'ALWAYS';
+    }
+    async execute() {
+        if (!this.command.command) {
+            return missingCommandResult(this.stage, 'Coverage command', this.command);
+        }
+        const blockers = [];
+        let detail = '';
+        let commandResult = null;
+        try {
+            commandResult = await runShellCommand(this.command.command, 120000);
+            if (commandResult.code !== 0) {
+                blockers.push(`Coverage command failed: ${commandResult.stderr}`);
+            }
+            const coverageMatch = commandResult.stdout.match(/All files[^|]*\|[^|]*\|[^|]*\|[^|]*\|[^|]*\|\s*(\d+\.?\d*)/);
+            if (coverageMatch) {
+                const coverage = parseFloat(coverageMatch[1]);
+                detail = `Coverage: ${coverage}%`;
+                if (coverage < 80) {
+                    blockers.push(`Coverage ${coverage}% below 80% threshold`);
+                }
+            }
+            else {
+                detail = (commandResult.stdout || commandResult.stderr || `exit code ${commandResult.code}`).slice(-500);
+                blockers.push('Coverage percentage could not be parsed');
+            }
+        }
+        catch (e) {
+            blockers.push(`Coverage check failed: ${e}`);
+        }
+        const passed = blockers.length === 0;
+        const evidenceItems = [
+            {
+                ...commandEvidence('Coverage command', this.command, passed, commandResult),
+                detail: detail ? `${this.command.reason}\n${detail}` : 'command did not complete',
+            },
+        ];
+        return {
+            gate: this.stage,
+            status: passed ? 'PASSED' : 'FAILED',
+            passed,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers
+        };
+    }
+}
+export class SecurityGate {
+    constructor(options = {}) {
+        this.stage = 'G7';
+        this.name = 'Security';
+        this.description = 'Built-in OWASP-oriented security scan';
+        this.requiredLevel = 'ALWAYS';
+        this.rootDir = options.rootDir ?? process.cwd();
+        this.scanDirs = options.scanDirs ?? ['src'];
+        this.maxFileBytes = options.maxFileBytes ?? 300_000;
+        this.maxFindings = options.maxFindings ?? 50;
+        this.strict = options.strict ?? false;
+    }
+    async execute() {
+        const findings = await this.scan();
+        const blockers = findings
+            .filter(finding => finding.severity === 'CRITICAL' || (this.strict && finding.severity === 'HIGH'))
+            .map(finding => `${finding.severity} ${finding.ruleId} in ${finding.file}:${finding.line} - ${finding.description}`);
+        const passed = blockers.length === 0;
+        const summary = this.summarize(findings);
+        const evidenceItems = [
+            createEvidence({
+                kind: 'scan',
+                label: 'Security scan',
+                passed,
+                path: this.scanDirs.join(','),
+                detail: findings.length > 0
+                    ? `${findings.length} finding(s): critical=${summary.CRITICAL}, high=${summary.HIGH}, medium=${summary.MEDIUM}, low=${summary.LOW}, strict=${this.strict}`
+                    : 'no built-in security findings detected',
+                source: 'built-in-security-scan',
+            }),
+            ...findings.slice(0, this.maxFindings).map(finding => createEvidence({
+                kind: 'scan',
+                label: `Security finding ${finding.ruleId}`,
+                passed: finding.severity !== 'CRITICAL' && finding.severity !== 'HIGH',
+                path: finding.file,
+                detail: `${finding.severity} line ${finding.line}: ${finding.description}; ${finding.evidence}`,
+                source: 'built-in-security-scan',
+            })),
+        ];
+        return {
+            gate: this.stage,
+            status: passed ? 'PASSED' : 'FAILED',
+            passed,
+            evidence: textEvidence(evidenceItems),
+            evidenceItems,
+            blockers
+        };
+    }
+    async scan() {
+        const findings = [];
+        try {
+            const fs = await import('fs/promises');
+            const { join, relative } = await import('path');
+            const files = [];
+            for (const dir of this.scanDirs) {
+                files.push(...await this.walkDir(join(this.rootDir, dir)));
+            }
+            for (const file of files) {
+                if (findings.length >= this.maxFindings)
+                    break;
+                const stat = await fs.stat(file);
+                if (!stat.isFile() || stat.size > this.maxFileBytes)
+                    continue;
+                const content = await fs.readFile(file, 'utf-8');
+                if (content.includes('\u0000'))
+                    continue;
+                const displayPath = relative(this.rootDir, file).replace(/\\/g, '/');
+                findings.push(...this.scanFile(displayPath, content).slice(0, this.maxFindings - findings.length));
+            }
+        }
+        catch {
+            // A missing scan directory should not mask the rest of the verification run.
+        }
+        return findings;
+    }
+    scanFile(file, content) {
+        const findings = [];
+        const lines = content.split('\n');
+        for (const rule of this.rulesForFile(file)) {
+            for (let index = 0; index < lines.length; index += 1) {
+                const line = lines[index];
+                if (this.isRuleDefinition(file, line) || this.isSecurityTestFixture(file, line))
+                    continue;
+                rule.pattern.lastIndex = 0;
+                if (rule.pattern.test(line)) {
+                    findings.push({
+                        ruleId: rule.id,
+                        severity: rule.severity,
+                        description: rule.description,
+                        file,
+                        line: index + 1,
+                        evidence: line.trim().slice(0, 180),
+                    });
+                }
+            }
+        }
+        findings.push(...this.findEmptyCatchBlocks(file, lines));
+        return findings;
+    }
+    async walkDir(dir) {
+        const fs = await import('fs/promises');
+        const { join } = await import('path');
+        const results = [];
+        try {
+            const entries = await fs.readdir(dir, { withFileTypes: true });
+            for (const entry of entries) {
+                const fullPath = join(dir, entry.name);
+                if (entry.isDirectory()) {
+                    if (['node_modules', 'dist', '.git', '.scale', 'coverage'].includes(entry.name))
+                        continue;
+                    results.push(...await this.walkDir(fullPath));
+                }
+                else if (/\.(ts|tsx|js|jsx|mjs|cjs)$/.test(entry.name)) {
+                    results.push(fullPath);
+                }
+            }
+        }
+        catch {
+            // Ignore unreadable directories.
+        }
+        return results;
+    }
+    rulesForFile(file) {
+        const rules = [
+            {
+                id: 'secret.assignment',
+                severity: 'CRITICAL',
+                description: 'Hardcoded credential or token assignment',
+                pattern: /\b(password|passwd|api[_-]?key|secret|token|auth[_-]?token|access[_-]?token|refresh[_-]?token|private[_-]?key)\b\s*[:=]\s*['"`][^'"`]{6,}['"`]/i,
+            },
+            {
+                id: 'secret.private-key',
+                severity: 'CRITICAL',
+                description: 'Private key material appears in source',
+                pattern: /-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----/,
+            },
+            {
+                id: 'security.tls-disabled',
+                severity: 'HIGH',
+                description: 'TLS certificate verification is disabled',
+                pattern: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"`]0['"`]|rejectUnauthorized\s*:\s*false|strictSSL\s*:\s*false/i,
+            },
+            {
+                id: 'injection.eval',
+                severity: 'HIGH',
+                description: 'Dynamic code execution can enable injection',
+                pattern: /\beval\s*\(|new\s+Function\s*\(/,
+            },
+            {
+                id: 'xss.raw-html',
+                severity: 'HIGH',
+                description: 'Raw HTML rendering can enable XSS',
+                pattern: /dangerouslySetInnerHTML|\.innerHTML\s*=/,
+            },
+            {
+                id: 'command.dangerous',
+                severity: 'HIGH',
+                description: 'Dangerous shell or Git command pattern',
+                pattern: /\bgit\s+add\s+\.(?=$|[\s'"`),;])|rm\s+-rf\s+(?:\/|~|\*|\.)|curl\b.*\|.*\b(?:bash|sh|pwsh|powershell|cmd)\b|Invoke-WebRequest\b.*\|\s*iex\b/i,
+            },
+            {
+                id: 'command.shell-exec',
+                severity: 'MEDIUM',
+                description: 'Shell execution requires argument control review',
+                pattern: /\bshell\s*:\s*true\b|\bexecSync\s*\(|\bchild_process\.exec\s*\(/,
+            },
+            {
+                id: 'types.ts-ignore',
+                severity: 'MEDIUM',
+                description: 'TypeScript error suppression can hide unsafe code',
+                pattern: /^\s*(?:\/\/|\/\*)\s*@ts-ignore\b/,
+            },
+        ];
+        return this.isTestPath(file)
+            ? rules.filter(rule => rule.severity === 'CRITICAL' || rule.id === 'command.dangerous')
+            : rules;
+    }
+    findEmptyCatchBlocks(file, lines) {
+        if (this.isTestPath(file))
+            return [];
+        const findings = [];
+        for (let index = 0; index < lines.length; index += 1) {
+            const line = lines[index];
+            if (/catch\s*(?:\([^)]*\))?\s*\{\s*(?:\/\*.*?\*\/|\/\/.*)?\s*\}/.test(line)) {
+                findings.push({
+                    ruleId: 'logic.empty-catch',
+                    severity: 'HIGH',
+                    description: 'Empty or comment-only catch block suppresses failures',
+                    file,
+                    line: index + 1,
+                    evidence: line.trim().slice(0, 180),
+                });
+                continue;
+            }
+            if (!/catch\s*(?:\([^)]*\))?\s*\{\s*$/.test(line))
+                continue;
+            for (let probe = index + 1; probe < Math.min(lines.length, index + 8); probe += 1) {
+                const trimmed = lines[probe].trim();
+                if (trimmed === '' || trimmed.startsWith('//') || trimmed.startsWith('/*') || trimmed.startsWith('*') || trimmed.startsWith('*/')) {
+                    continue;
+                }
+                if (/^}\s*[),;]?$/.test(trimmed)) {
+                    findings.push({
+                        ruleId: 'logic.empty-catch',
+                        severity: 'HIGH',
+                        description: 'Empty or comment-only catch block suppresses failures',
+                        file,
+                        line: index + 1,
+                        evidence: line.trim().slice(0, 180),
+                    });
+                }
+                break;
+            }
+        }
+        return findings;
+    }
+    summarize(findings) {
+        return {
+            CRITICAL: findings.filter(f => f.severity === 'CRITICAL').length,
+            HIGH: findings.filter(f => f.severity === 'HIGH').length,
+            MEDIUM: findings.filter(f => f.severity === 'MEDIUM').length,
+            LOW: findings.filter(f => f.severity === 'LOW').length,
+        };
+    }
+    isTestPath(file) {
+        return /(^|\/)(tests?|__tests__)\//i.test(file) || /\.(test|spec)\.(ts|tsx|js|jsx|mjs|cjs)$/i.test(file);
+    }
+    isRuleDefinition(file, line) {
+        const trimmed = line.trim();
+        return file.endsWith('GateSystem.ts') && (/^pattern:\s*\/.*\/[dgimsuy]*,?$/.test(trimmed) || /^id:\s*['"`][^'"`]+['"`],?$/.test(trimmed));
+    }
+    isSecurityTestFixture(file, line) {
+        if (!this.isTestPath(file))
+            return false;
+        return /\b(?:text|content|diff|source)\b\s*[:=]/.test(line) &&
+            /['"`].*(?:password|api[_-]?key|secret|token|auth|credential|private[_-]?key|git add|shell: true|@ts-ignore|catch)/i.test(line);
+    }
+}
+//# sourceMappingURL=GateSystem.js.map