@ipation/specbridge 2.4.7 → 2.4.9

package/dist/cli.js

@@ -1774,6 +1774,283 @@ function createRegistry(options) {
   return new Registry(options);
 }
 
+// src/verification/cache.ts
+import { stat as stat2, readFile as readFile2 } from "fs/promises";
+import { createHash } from "crypto";
+var AstCache = class {
+  cache = /* @__PURE__ */ new Map();
+  async get(filePath, project) {
+    try {
+      const stats = await stat2(filePath);
+      const cached = this.cache.get(filePath);
+      if (cached && cached.mtimeMs >= stats.mtimeMs) {
+        return cached.sourceFile;
+      }
+      const content = await readFile2(filePath, "utf-8");
+      const hash = createHash("sha256").update(content).digest("hex");
+      if (cached && cached.hash === hash) {
+        cached.mtimeMs = stats.mtimeMs;
+        return cached.sourceFile;
+      }
+      let sourceFile = project.getSourceFile(filePath);
+      if (!sourceFile) {
+        sourceFile = project.addSourceFileAtPath(filePath);
+      } else {
+        sourceFile.refreshFromFileSystemSync();
+      }
+      this.cache.set(filePath, {
+        sourceFile,
+        hash,
+        mtimeMs: stats.mtimeMs
+      });
+      return sourceFile;
+    } catch {
+      return null;
+    }
+  }
+  clear() {
+    this.cache.clear();
+  }
+  getStats() {
+    return {
+      entries: this.cache.size,
+      memoryEstimate: this.cache.size * 5e4
+      // Rough estimate: 50KB per AST
+    };
+  }
+};
+
+// src/verification/file-verifier.ts
+import { createHash as createHash2 } from "crypto";
+import { readFile as readFile3 } from "fs/promises";
+
+// src/verification/applicability.ts
+function isConstraintExcepted(filePath, constraint, cwd) {
+  if (!constraint.exceptions) return false;
+  return constraint.exceptions.some((exception) => {
+    if (exception.expiresAt) {
+      const expiryDate = new Date(exception.expiresAt);
+      if (expiryDate < /* @__PURE__ */ new Date()) {
+        return false;
+      }
+    }
+    return matchesPattern(filePath, exception.pattern, { cwd });
+  });
+}
+function shouldApplyConstraintToFile(params) {
+  const { filePath, constraint, cwd, severityFilter } = params;
+  if (!matchesPattern(filePath, constraint.scope, { cwd })) return false;
+  if (severityFilter && !severityFilter.includes(constraint.severity)) return false;
+  if (isConstraintExcepted(filePath, constraint, cwd)) return false;
+  return true;
+}
+
+// src/verification/plugins/loader.ts
+import { existsSync } from "fs";
+import { join as join5 } from "path";
+import { pathToFileURL } from "url";
+import fg2 from "fast-glob";
+var PluginLoader = class {
+  plugins = /* @__PURE__ */ new Map();
+  loaded = false;
+  loadErrors = [];
+  logger = getLogger({ module: "verification.plugins.loader" });
+  /**
+   * Load all plugins from the specified base path
+   *
+   * @param basePath - Project root directory (usually cwd)
+   */
+  async loadPlugins(basePath) {
+    const verifiersDir = join5(basePath, ".specbridge", "verifiers");
+    if (!existsSync(verifiersDir)) {
+      this.loaded = true;
+      return;
+    }
+    const files = await fg2("**/*.{ts,js}", {
+      cwd: verifiersDir,
+      absolute: true,
+      ignore: ["**/*.test.{ts,js}", "**/*.d.ts"]
+    });
+    for (const file of files) {
+      try {
+        await this.loadPlugin(file);
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        this.loadErrors.push({ file, error: message });
+        this.logger.warn({ file, error: message }, "Failed to load plugin");
+      }
+    }
+    this.loaded = true;
+    if (this.plugins.size > 0) {
+      this.logger.info({ count: this.plugins.size }, "Loaded custom verifier plugins");
+    }
+    if (this.loadErrors.length > 0) {
+      this.logger.warn({ count: this.loadErrors.length }, "Plugin load failures");
+    }
+  }
+  /**
+   * Load a single plugin file
+   */
+  async loadPlugin(filePath) {
+    const fileUrl = pathToFileURL(filePath).href;
+    const module = await import(fileUrl);
+    const plugin = module.default || module.plugin;
+    if (!plugin) {
+      throw new Error('Plugin must export a default or named "plugin" export');
+    }
+    this.validatePlugin(plugin, filePath);
+    if (this.plugins.has(plugin.metadata.id)) {
+      throw new Error(
+        `Plugin ID "${plugin.metadata.id}" is already registered. Each plugin must have a unique ID.`
+      );
+    }
+    this.plugins.set(plugin.metadata.id, plugin);
+  }
+  /**
+   * Validate plugin structure and metadata
+   */
+  validatePlugin(plugin, _filePath) {
+    if (!plugin.metadata) {
+      throw new Error('Plugin must have a "metadata" property');
+    }
+    if (!plugin.metadata.id || typeof plugin.metadata.id !== "string") {
+      throw new Error('Plugin metadata must have a string "id" property');
+    }
+    if (!plugin.metadata.version || typeof plugin.metadata.version !== "string") {
+      throw new Error('Plugin metadata must have a string "version" property');
+    }
+    const idPattern = /^[a-z][a-z0-9-]*$/;
+    if (!idPattern.test(plugin.metadata.id)) {
+      throw new Error(
+        `Plugin ID "${plugin.metadata.id}" is invalid. ID must start with a lowercase letter and contain only lowercase letters, numbers, and hyphens.`
+      );
+    }
+    if (typeof plugin.createVerifier !== "function") {
+      throw new Error('Plugin must have a "createVerifier" function');
+    }
+    let verifier;
+    try {
+      verifier = plugin.createVerifier();
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      throw new Error(`createVerifier() threw an error: ${message}`);
+    }
+    if (!verifier || typeof verifier !== "object") {
+      throw new Error("createVerifier() must return an object");
+    }
+    if (!verifier.id || typeof verifier.id !== "string") {
+      throw new Error('Verifier must have a string "id" property');
+    }
+    if (!verifier.name || typeof verifier.name !== "string") {
+      throw new Error('Verifier must have a string "name" property');
+    }
+    if (!verifier.description || typeof verifier.description !== "string") {
+      throw new Error('Verifier must have a string "description" property');
+    }
+    if (typeof verifier.verify !== "function") {
+      throw new Error('Verifier must have a "verify" method');
+    }
+    if (verifier.id !== plugin.metadata.id) {
+      throw new Error(
+        `Verifier ID "${verifier.id}" does not match plugin metadata ID "${plugin.metadata.id}". These must be identical.`
+      );
+    }
+  }
+  /**
+   * Get a verifier instance by ID
+   *
+   * @param id - Verifier ID
+   * @returns Verifier instance or null if not found
+   */
+  getVerifier(id) {
+    const plugin = this.plugins.get(id);
+    return plugin ? plugin.createVerifier() : null;
+  }
+  /**
+   * Get a plugin by ID (includes paramsSchema)
+   *
+   * @param id - Plugin ID
+   * @returns Plugin or null if not found
+   */
+  getPlugin(id) {
+    return this.plugins.get(id) || null;
+  }
+  /**
+   * Validate params against a plugin's paramsSchema
+   *
+   * @param id - Plugin ID
+   * @param params - Parameters to validate
+   * @returns Validation result with success flag and error message if failed
+   */
+  validateParams(id, params) {
+    const plugin = this.plugins.get(id);
+    if (!plugin) {
+      return { success: false, error: `Plugin ${id} not found` };
+    }
+    if (!plugin.paramsSchema) {
+      return { success: true };
+    }
+    if (!params) {
+      return { success: false, error: `Plugin ${id} requires params but none were provided` };
+    }
+    if (typeof plugin.paramsSchema !== "object" || !plugin.paramsSchema || !("parse" in plugin.paramsSchema)) {
+      return {
+        success: false,
+        error: `Plugin ${id} has invalid paramsSchema (must be a Zod schema)`
+      };
+    }
+    const schema = plugin.paramsSchema;
+    if (schema.safeParse) {
+      const result = schema.safeParse(params);
+      if (!result.success) {
+        const errors = result.error?.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join(", ") || "Validation failed";
+        return { success: false, error: `Invalid params for ${id}: ${errors}` };
+      }
+    } else {
+      try {
+        schema.parse(params);
+      } catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        return { success: false, error: `Invalid params for ${id}: ${message}` };
+      }
+    }
+    return { success: true };
+  }
+  /**
+   * Get all registered plugin IDs
+   */
+  getPluginIds() {
+    return Array.from(this.plugins.keys());
+  }
+  /**
+   * Check if plugins have been loaded
+   */
+  isLoaded() {
+    return this.loaded;
+  }
+  /**
+   * Get load errors (for diagnostics)
+   */
+  getLoadErrors() {
+    return [...this.loadErrors];
+  }
+  /**
+   * Reset the loader (useful for testing)
+   */
+  reset() {
+    this.plugins.clear();
+    this.loaded = false;
+    this.loadErrors = [];
+  }
+};
+var pluginLoader = null;
+function getPluginLoader() {
+  if (!pluginLoader) {
+    pluginLoader = new PluginLoader();
+  }
+  return pluginLoader;
+}
+
 // src/verification/verifiers/base.ts
 function createViolation(params) {
   return params;
@@ -2633,418 +2910,212 @@ function isStringLiteralLike(node) {
 }
 var SecurityVerifier = class {
   id = "security";
-  name = "Security Verifier";
-  description = "Detects common security footguns (secrets, eval, XSS/SQL injection heuristics)";
-  async verify(ctx) {
-    const violations = [];
-    const { sourceFile, constraint, decisionId, filePath } = ctx;
-    const rule = constraint.rule.toLowerCase();
-    const checkSecrets = rule.includes("secret") || rule.includes("password") || rule.includes("token") || rule.includes("api key") || rule.includes("hardcoded");
-    const checkEval = rule.includes("eval") || rule.includes("function constructor");
-    const checkXss = rule.includes("xss") || rule.includes("innerhtml") || rule.includes("dangerouslysetinnerhtml");
-    const checkSql = rule.includes("sql") || rule.includes("injection");
-    const checkProto = rule.includes("prototype pollution") || rule.includes("__proto__");
-    if (checkSecrets) {
-      for (const vd of sourceFile.getVariableDeclarations()) {
-        const name = vd.getName();
-        if (!SECRET_NAME_RE.test(name)) continue;
-        const init = vd.getInitializer();
-        if (!init || !isStringLiteralLike(init)) continue;
-        const value = init.getText().slice(1, -1);
-        if (value.length === 0) continue;
-        violations.push(
-          createViolation({
-            decisionId,
-            constraintId: constraint.id,
-            type: constraint.type,
-            severity: constraint.severity,
-            message: `Possible hardcoded secret in variable "${name}"`,
-            file: filePath,
-            line: vd.getStartLineNumber(),
-            suggestion: "Move secrets to environment variables or a secret manager"
-          })
-        );
-      }
-      for (const pa of sourceFile.getDescendantsOfKind(SyntaxKind3.PropertyAssignment)) {
-        const propName = pa.getNameNode().getText();
-        if (!SECRET_NAME_RE.test(propName)) continue;
-        const init = pa.getInitializer();
-        if (!init || !isStringLiteralLike(init)) continue;
-        violations.push(
-          createViolation({
-            decisionId,
-            constraintId: constraint.id,
-            type: constraint.type,
-            severity: constraint.severity,
-            message: `Possible hardcoded secret in object property ${propName}`,
-            file: filePath,
-            line: pa.getStartLineNumber(),
-            suggestion: "Move secrets to environment variables or a secret manager"
-          })
-        );
-      }
-    }
-    if (checkEval) {
-      for (const call of sourceFile.getDescendantsOfKind(SyntaxKind3.CallExpression)) {
-        const exprText = call.getExpression().getText();
-        if (exprText === "eval" || exprText === "Function") {
-          violations.push(
-            createViolation({
-              decisionId,
-              constraintId: constraint.id,
-              type: constraint.type,
-              severity: constraint.severity,
-              message: `Unsafe dynamic code execution via ${exprText}()`,
-              file: filePath,
-              line: call.getStartLineNumber(),
-              suggestion: "Avoid eval/Function; use safer alternatives"
-            })
-          );
-        }
-      }
-    }
-    if (checkXss) {
-      for (const bin of sourceFile.getDescendantsOfKind(SyntaxKind3.BinaryExpression)) {
-        const left = bin.getLeft();
-        const propertyAccess = left.asKind(SyntaxKind3.PropertyAccessExpression);
-        if (!propertyAccess) continue;
-        if (propertyAccess.getName() === "innerHTML") {
-          violations.push(
-            createViolation({
-              decisionId,
-              constraintId: constraint.id,
-              type: constraint.type,
-              severity: constraint.severity,
-              message: "Potential XSS: assignment to innerHTML",
-              file: filePath,
-              line: bin.getStartLineNumber(),
-              suggestion: "Prefer textContent or a safe templating/escaping strategy"
-            })
-          );
-        }
-      }
-      if (sourceFile.getFullText().includes("dangerouslySetInnerHTML")) {
-        violations.push(
-          createViolation({
-            decisionId,
-            constraintId: constraint.id,
-            type: constraint.type,
-            severity: constraint.severity,
-            message: "Potential XSS: usage of dangerouslySetInnerHTML",
-            file: filePath,
-            line: 1,
-            suggestion: "Avoid dangerouslySetInnerHTML or ensure content is sanitized"
-          })
-        );
-      }
-    }
-    if (checkSql) {
-      for (const call of sourceFile.getDescendantsOfKind(SyntaxKind3.CallExpression)) {
-        const expr = call.getExpression();
-        const propertyAccess = expr.asKind(SyntaxKind3.PropertyAccessExpression);
-        if (!propertyAccess) continue;
-        const name = propertyAccess.getName();
-        if (name !== "query" && name !== "execute") continue;
-        const arg = call.getArguments()[0];
-        if (!arg) continue;
-        const isTemplate = arg.getKind() === SyntaxKind3.TemplateExpression;
-        const isConcat = arg.getKind() === SyntaxKind3.BinaryExpression && arg.getText().includes("+");
-        if (!isTemplate && !isConcat) continue;
-        const text = arg.getText().toLowerCase();
-        if (!text.includes("select") && !text.includes("insert") && !text.includes("update") && !text.includes("delete")) {
-          continue;
-        }
-        violations.push(
-          createViolation({
-            decisionId,
-            constraintId: constraint.id,
-            type: constraint.type,
-            severity: constraint.severity,
-            message: "Potential SQL injection: dynamically constructed SQL query",
-            file: filePath,
-            line: call.getStartLineNumber(),
-            suggestion: "Use parameterized queries / prepared statements"
-          })
-        );
-      }
-    }
-    if (checkProto) {
-      const text = sourceFile.getFullText();
-      if (text.includes("__proto__") || text.includes("constructor.prototype")) {
+  name = "Security Verifier";
+  description = "Detects common security footguns (secrets, eval, XSS/SQL injection heuristics)";
+  async verify(ctx) {
+    const violations = [];
+    const { sourceFile, constraint, decisionId, filePath } = ctx;
+    const rule = constraint.rule.toLowerCase();
+    const checkSecrets = rule.includes("secret") || rule.includes("password") || rule.includes("token") || rule.includes("api key") || rule.includes("hardcoded");
+    const checkEval = rule.includes("eval") || rule.includes("function constructor");
+    const checkXss = rule.includes("xss") || rule.includes("innerhtml") || rule.includes("dangerouslysetinnerhtml");
+    const checkSql = rule.includes("sql") || rule.includes("injection");
+    const checkProto = rule.includes("prototype pollution") || rule.includes("__proto__");
+    if (checkSecrets) {
+      for (const vd of sourceFile.getVariableDeclarations()) {
+        const name = vd.getName();
+        if (!SECRET_NAME_RE.test(name)) continue;
+        const init = vd.getInitializer();
+        if (!init || !isStringLiteralLike(init)) continue;
+        const value = init.getText().slice(1, -1);
+        if (value.length === 0) continue;
         violations.push(
           createViolation({
             decisionId,
             constraintId: constraint.id,
             type: constraint.type,
             severity: constraint.severity,
-            message: "Potential prototype pollution pattern detected",
+            message: `Possible hardcoded secret in variable "${name}"`,
             file: filePath,
-            line: 1,
-            suggestion: "Avoid writing to __proto__/prototype; validate object keys"
+            line: vd.getStartLineNumber(),
+            suggestion: "Move secrets to environment variables or a secret manager"
           })
         );
       }
-    }
-    return violations;
-  }
-};
-
-// src/verification/verifiers/api.ts
-import { SyntaxKind as SyntaxKind4 } from "ts-morph";
-var HTTP_METHODS = /* @__PURE__ */ new Set(["get", "post", "put", "patch", "delete", "options", "head", "all"]);
-function isKebabPath(pathValue) {
-  const parts = pathValue.split("/").filter(Boolean);
-  for (const part of parts) {
-    if (part.startsWith(":")) continue;
-    if (!/^[a-z0-9-]+$/.test(part)) return false;
-  }
-  return true;
-}
-var ApiVerifier = class {
-  id = "api";
-  name = "API Consistency Verifier";
-  description = "Checks basic REST endpoint naming conventions in common frameworks";
-  async verify(ctx) {
-    const violations = [];
-    const { sourceFile, constraint, decisionId, filePath } = ctx;
-    const rule = constraint.rule.toLowerCase();
-    const enforceKebab = rule.includes("kebab") || rule.includes("kebab-case");
-    if (!enforceKebab) return violations;
-    for (const call of sourceFile.getDescendantsOfKind(SyntaxKind4.CallExpression)) {
-      const expr = call.getExpression();
-      const propertyAccess = expr.asKind(SyntaxKind4.PropertyAccessExpression);
-      if (!propertyAccess) continue;
-      const method = propertyAccess.getName();
-      if (!method || !HTTP_METHODS.has(String(method))) continue;
-      const firstArg = call.getArguments()[0];
-      const stringLiteral = firstArg?.asKind(SyntaxKind4.StringLiteral);
-      if (!stringLiteral) continue;
-      const pathValue = stringLiteral.getLiteralValue();
-      if (typeof pathValue !== "string") continue;
-      if (!isKebabPath(pathValue)) {
+      for (const pa of sourceFile.getDescendantsOfKind(SyntaxKind3.PropertyAssignment)) {
+        const propName = pa.getNameNode().getText();
+        if (!SECRET_NAME_RE.test(propName)) continue;
+        const init = pa.getInitializer();
+        if (!init || !isStringLiteralLike(init)) continue;
         violations.push(
           createViolation({
             decisionId,
             constraintId: constraint.id,
             type: constraint.type,
             severity: constraint.severity,
-            message: `Endpoint path "${pathValue}" is not kebab-case`,
+            message: `Possible hardcoded secret in object property ${propName}`,
             file: filePath,
-            line: call.getStartLineNumber(),
-            suggestion: "Use lowercase and hyphens in static path segments (e.g., /user-settings)"
+            line: pa.getStartLineNumber(),
+            suggestion: "Move secrets to environment variables or a secret manager"
           })
         );
       }
     }
-    return violations;
-  }
-};
-
-// src/verification/plugins/loader.ts
-import { existsSync } from "fs";
-import { join as join5 } from "path";
-import { pathToFileURL } from "url";
-import fg2 from "fast-glob";
-var PluginLoader = class {
-  plugins = /* @__PURE__ */ new Map();
-  loaded = false;
-  loadErrors = [];
-  logger = getLogger({ module: "verification.plugins.loader" });
-  /**
-   * Load all plugins from the specified base path
-   *
-   * @param basePath - Project root directory (usually cwd)
-   */
-  async loadPlugins(basePath) {
-    const verifiersDir = join5(basePath, ".specbridge", "verifiers");
-    if (!existsSync(verifiersDir)) {
-      this.loaded = true;
-      return;
-    }
-    const files = await fg2("**/*.{ts,js}", {
-      cwd: verifiersDir,
-      absolute: true,
-      ignore: ["**/*.test.{ts,js}", "**/*.d.ts"]
-    });
-    for (const file of files) {
-      try {
-        await this.loadPlugin(file);
-      } catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        this.loadErrors.push({ file, error: message });
-        this.logger.warn({ file, error: message }, "Failed to load plugin");
+    if (checkEval) {
+      for (const call of sourceFile.getDescendantsOfKind(SyntaxKind3.CallExpression)) {
+        const exprText = call.getExpression().getText();
+        if (exprText === "eval" || exprText === "Function") {
+          violations.push(
+            createViolation({
+              decisionId,
+              constraintId: constraint.id,
+              type: constraint.type,
+              severity: constraint.severity,
+              message: `Unsafe dynamic code execution via ${exprText}()`,
+              file: filePath,
+              line: call.getStartLineNumber(),
+              suggestion: "Avoid eval/Function; use safer alternatives"
+            })
+          );
+        }
       }
     }
-    this.loaded = true;
-    if (this.plugins.size > 0) {
-      this.logger.info({ count: this.plugins.size }, "Loaded custom verifier plugins");
-    }
-    if (this.loadErrors.length > 0) {
-      this.logger.warn({ count: this.loadErrors.length }, "Plugin load failures");
-    }
-  }
-  /**
-   * Load a single plugin file
-   */
-  async loadPlugin(filePath) {
-    const fileUrl = pathToFileURL(filePath).href;
-    const module = await import(fileUrl);
-    const plugin = module.default || module.plugin;
-    if (!plugin) {
-      throw new Error('Plugin must export a default or named "plugin" export');
-    }
-    this.validatePlugin(plugin, filePath);
-    if (this.plugins.has(plugin.metadata.id)) {
-      throw new Error(
-        `Plugin ID "${plugin.metadata.id}" is already registered. Each plugin must have a unique ID.`
-      );
-    }
-    this.plugins.set(plugin.metadata.id, plugin);
-  }
-  /**
-   * Validate plugin structure and metadata
-   */
-  validatePlugin(plugin, _filePath) {
-    if (!plugin.metadata) {
-      throw new Error('Plugin must have a "metadata" property');
-    }
-    if (!plugin.metadata.id || typeof plugin.metadata.id !== "string") {
-      throw new Error('Plugin metadata must have a string "id" property');
-    }
-    if (!plugin.metadata.version || typeof plugin.metadata.version !== "string") {
-      throw new Error('Plugin metadata must have a string "version" property');
-    }
-    const idPattern = /^[a-z][a-z0-9-]*$/;
-    if (!idPattern.test(plugin.metadata.id)) {
-      throw new Error(
-        `Plugin ID "${plugin.metadata.id}" is invalid. ID must start with a lowercase letter and contain only lowercase letters, numbers, and hyphens.`
-      );
-    }
-    if (typeof plugin.createVerifier !== "function") {
-      throw new Error('Plugin must have a "createVerifier" function');
-    }
-    let verifier;
-    try {
-      verifier = plugin.createVerifier();
-    } catch (error) {
-      const message = error instanceof Error ? error.message : String(error);
-      throw new Error(`createVerifier() threw an error: ${message}`);
-    }
-    if (!verifier || typeof verifier !== "object") {
-      throw new Error("createVerifier() must return an object");
-    }
-    if (!verifier.id || typeof verifier.id !== "string") {
-      throw new Error('Verifier must have a string "id" property');
-    }
-    if (!verifier.name || typeof verifier.name !== "string") {
-      throw new Error('Verifier must have a string "name" property');
-    }
-    if (!verifier.description || typeof verifier.description !== "string") {
-      throw new Error('Verifier must have a string "description" property');
-    }
-    if (typeof verifier.verify !== "function") {
-      throw new Error('Verifier must have a "verify" method');
-    }
-    if (verifier.id !== plugin.metadata.id) {
-      throw new Error(
-        `Verifier ID "${verifier.id}" does not match plugin metadata ID "${plugin.metadata.id}". These must be identical.`
-      );
-    }
-  }
-  /**
-   * Get a verifier instance by ID
-   *
-   * @param id - Verifier ID
-   * @returns Verifier instance or null if not found
-   */
-  getVerifier(id) {
-    const plugin = this.plugins.get(id);
-    return plugin ? plugin.createVerifier() : null;
-  }
-  /**
-   * Get a plugin by ID (includes paramsSchema)
-   *
-   * @param id - Plugin ID
-   * @returns Plugin or null if not found
-   */
-  getPlugin(id) {
-    return this.plugins.get(id) || null;
-  }
-  /**
-   * Validate params against a plugin's paramsSchema
-   *
-   * @param id - Plugin ID
-   * @param params - Parameters to validate
-   * @returns Validation result with success flag and error message if failed
-   */
-  validateParams(id, params) {
-    const plugin = this.plugins.get(id);
-    if (!plugin) {
-      return { success: false, error: `Plugin ${id} not found` };
-    }
-    if (!plugin.paramsSchema) {
-      return { success: true };
-    }
-    if (!params) {
-      return { success: false, error: `Plugin ${id} requires params but none were provided` };
-    }
-    if (typeof plugin.paramsSchema !== "object" || !plugin.paramsSchema || !("parse" in plugin.paramsSchema)) {
-      return {
-        success: false,
-        error: `Plugin ${id} has invalid paramsSchema (must be a Zod schema)`
-      };
+    if (checkXss) {
+      for (const bin of sourceFile.getDescendantsOfKind(SyntaxKind3.BinaryExpression)) {
+        const left = bin.getLeft();
+        const propertyAccess = left.asKind(SyntaxKind3.PropertyAccessExpression);
+        if (!propertyAccess) continue;
+        if (propertyAccess.getName() === "innerHTML") {
+          violations.push(
+            createViolation({
+              decisionId,
+              constraintId: constraint.id,
+              type: constraint.type,
+              severity: constraint.severity,
+              message: "Potential XSS: assignment to innerHTML",
+              file: filePath,
+              line: bin.getStartLineNumber(),
+              suggestion: "Prefer textContent or a safe templating/escaping strategy"
+            })
+          );
+        }
+      }
+      if (sourceFile.getFullText().includes("dangerouslySetInnerHTML")) {
+        violations.push(
+          createViolation({
+            decisionId,
+            constraintId: constraint.id,
+            type: constraint.type,
+            severity: constraint.severity,
+            message: "Potential XSS: usage of dangerouslySetInnerHTML",
+            file: filePath,
+            line: 1,
+            suggestion: "Avoid dangerouslySetInnerHTML or ensure content is sanitized"
+          })
+        );
+      }
     }
-    const schema = plugin.paramsSchema;
-    if (schema.safeParse) {
-      const result = schema.safeParse(params);
-      if (!result.success) {
-        const errors = result.error?.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join(", ") || "Validation failed";
-        return { success: false, error: `Invalid params for ${id}: ${errors}` };
+    if (checkSql) {
+      for (const call of sourceFile.getDescendantsOfKind(SyntaxKind3.CallExpression)) {
+        const expr = call.getExpression();
+        const propertyAccess = expr.asKind(SyntaxKind3.PropertyAccessExpression);
+        if (!propertyAccess) continue;
+        const name = propertyAccess.getName();
+        if (name !== "query" && name !== "execute") continue;
+        const arg = call.getArguments()[0];
+        if (!arg) continue;
+        const isTemplate = arg.getKind() === SyntaxKind3.TemplateExpression;
+        const isConcat = arg.getKind() === SyntaxKind3.BinaryExpression && arg.getText().includes("+");
+        if (!isTemplate && !isConcat) continue;
+        const text = arg.getText().toLowerCase();
+        if (!text.includes("select") && !text.includes("insert") && !text.includes("update") && !text.includes("delete")) {
+          continue;
+        }
+        violations.push(
+          createViolation({
+            decisionId,
+            constraintId: constraint.id,
+            type: constraint.type,
+            severity: constraint.severity,
+            message: "Potential SQL injection: dynamically constructed SQL query",
+            file: filePath,
+            line: call.getStartLineNumber(),
+            suggestion: "Use parameterized queries / prepared statements"
+          })
+        );
       }
-    } else {
-      try {
-        schema.parse(params);
-      } catch (error) {
-        const message = error instanceof Error ? error.message : String(error);
-        return { success: false, error: `Invalid params for ${id}: ${message}` };
+    }
+    if (checkProto) {
+      const text = sourceFile.getFullText();
+      if (text.includes("__proto__") || text.includes("constructor.prototype")) {
+        violations.push(
+          createViolation({
+            decisionId,
+            constraintId: constraint.id,
+            type: constraint.type,
+            severity: constraint.severity,
+            message: "Potential prototype pollution pattern detected",
+            file: filePath,
+            line: 1,
+            suggestion: "Avoid writing to __proto__/prototype; validate object keys"
+          })
+        );
       }
     }
-    return { success: true };
-  }
-  /**
-   * Get all registered plugin IDs
-   */
-  getPluginIds() {
-    return Array.from(this.plugins.keys());
-  }
-  /**
-   * Check if plugins have been loaded
-   */
-  isLoaded() {
-    return this.loaded;
-  }
-  /**
-   * Get load errors (for diagnostics)
-   */
-  getLoadErrors() {
-    return [...this.loadErrors];
-  }
-  /**
-   * Reset the loader (useful for testing)
-   */
-  reset() {
-    this.plugins.clear();
-    this.loaded = false;
-    this.loadErrors = [];
+    return violations;
   }
 };
-var pluginLoader = null;
-function getPluginLoader() {
-  if (!pluginLoader) {
-    pluginLoader = new PluginLoader();
+
+// src/verification/verifiers/api.ts
+import { SyntaxKind as SyntaxKind4 } from "ts-morph";
+var HTTP_METHODS = /* @__PURE__ */ new Set(["get", "post", "put", "patch", "delete", "options", "head", "all"]);
+function isKebabPath(pathValue) {
+  const parts = pathValue.split("/").filter(Boolean);
+  for (const part of parts) {
+    if (part.startsWith(":")) continue;
+    if (!/^[a-z0-9-]+$/.test(part)) return false;
   }
-  return pluginLoader;
+  return true;
 }
+var ApiVerifier = class {
+  id = "api";
+  name = "API Consistency Verifier";
+  description = "Checks basic REST endpoint naming conventions in common frameworks";
+  async verify(ctx) {
+    const violations = [];
+    const { sourceFile, constraint, decisionId, filePath } = ctx;
+    const rule = constraint.rule.toLowerCase();
+    const enforceKebab = rule.includes("kebab") || rule.includes("kebab-case");
+    if (!enforceKebab) return violations;
+    for (const call of sourceFile.getDescendantsOfKind(SyntaxKind4.CallExpression)) {
+      const expr = call.getExpression();
+      const propertyAccess = expr.asKind(SyntaxKind4.PropertyAccessExpression);
+      if (!propertyAccess) continue;
+      const method = propertyAccess.getName();
+      if (!method || !HTTP_METHODS.has(String(method))) continue;
+      const firstArg = call.getArguments()[0];
+      const stringLiteral = firstArg?.asKind(SyntaxKind4.StringLiteral);
+      if (!stringLiteral) continue;
+      const pathValue = stringLiteral.getLiteralValue();
+      if (typeof pathValue !== "string") continue;
+      if (!isKebabPath(pathValue)) {
+        violations.push(
+          createViolation({
+            decisionId,
+            constraintId: constraint.id,
+            type: constraint.type,
+            severity: constraint.severity,
+            message: `Endpoint path "${pathValue}" is not kebab-case`,
+            file: filePath,
+            line: call.getStartLineNumber(),
+            suggestion: "Use lowercase and hyphens in static path segments (e.g., /user-settings)"
+          })
+        );
+      }
+    }
+    return violations;
+  }
+};
 
 // src/verification/verifiers/index.ts
 var builtinVerifiers = {
@@ -3117,51 +3188,216 @@ function selectVerifierForConstraint(rule, specifiedVerifier, check) {
   return getVerifier("regex");
 }
 
-// src/verification/cache.ts
-import { stat as stat2, readFile as readFile2 } from "fs/promises";
-import { createHash } from "crypto";
-var AstCache = class {
-  cache = /* @__PURE__ */ new Map();
-  async get(filePath, project) {
-    try {
-      const stats = await stat2(filePath);
-      const cached = this.cache.get(filePath);
-      if (cached && cached.mtimeMs >= stats.mtimeMs) {
-        return cached.sourceFile;
+// src/verification/file-verifier.ts
+async function verifySingleFile(options, dependencies) {
+  const { filePath, decisions, severityFilter, cwd, reporter, signal } = options;
+  const { project, astCache, resultsCache, logger: logger2 } = dependencies;
+  const violations = [];
+  const warnings = [];
+  const errors = [];
+  if (signal?.aborted) {
+    return { violations, warnings, errors };
+  }
+  const sourceFile = await astCache.get(filePath, project);
+  if (!sourceFile) {
+    return { violations, warnings, errors };
+  }
+  let fileHash = null;
+  try {
+    const content = await readFile3(filePath, "utf-8");
+    fileHash = createHash2("sha256").update(content).digest("hex");
+  } catch {
+    fileHash = null;
+  }
+  for (const decision of decisions) {
+    for (const constraint of decision.constraints) {
+      if (!shouldApplyConstraintToFile({ filePath, constraint, cwd, severityFilter })) {
+        if (reporter) {
+          reporter.add({
+            file: filePath,
+            decision,
+            constraint,
+            applied: false,
+            reason: "File does not match scope pattern or severity filter"
+          });
+        }
+        continue;
       }
-      const content = await readFile2(filePath, "utf-8");
-      const hash = createHash("sha256").update(content).digest("hex");
-      if (cached && cached.hash === hash) {
-        cached.mtimeMs = stats.mtimeMs;
-        return cached.sourceFile;
+      const verifier = selectVerifierForConstraint(
+        constraint.rule,
+        constraint.verifier,
+        constraint.check
+      );
+      if (!verifier) {
+        const requestedVerifier = constraint.check?.verifier || constraint.verifier || "auto-detected";
+        logger2.warn(
+          {
+            decisionId: decision.metadata.id,
+            constraintId: constraint.id,
+            requestedVerifier,
+            availableVerifiers: getVerifierIds()
+          },
+          "No verifier found for constraint"
+        );
+        warnings.push({
+          type: "missing_verifier",
+          message: `No verifier found for constraint (requested: ${requestedVerifier})`,
+          decisionId: decision.metadata.id,
+          constraintId: constraint.id,
+          file: filePath
+        });
+        if (reporter) {
+          reporter.add({
+            file: filePath,
+            decision,
+            constraint,
+            applied: false,
+            reason: `No verifier found (requested: ${requestedVerifier})`
+          });
+        }
+        continue;
       }
-      let sourceFile = project.getSourceFile(filePath);
-      if (!sourceFile) {
-        sourceFile = project.addSourceFileAtPath(filePath);
-      } else {
-        sourceFile.refreshFromFileSystemSync();
+      let constraintViolations;
+      if (fileHash) {
+        const cacheKey = {
+          filePath,
+          decisionId: decision.metadata.id,
+          constraintId: constraint.id,
+          fileHash
+        };
+        const cached = resultsCache.get(cacheKey);
+        if (cached) {
+          constraintViolations = cached;
+          violations.push(...constraintViolations);
+          if (reporter) {
+            reporter.add({
+              file: filePath,
+              decision,
+              constraint,
+              applied: true,
+              reason: "Constraint matches file scope (cached)",
+              selectedVerifier: verifier.id
+            });
+          }
+          continue;
+        }
+      }
+      if (constraint.check?.verifier && constraint.check?.params) {
+        const validationResult = getPluginLoader().validateParams(
+          constraint.check.verifier,
+          constraint.check.params
+        );
+        if (!validationResult.success) {
+          warnings.push({
+            type: "invalid_params",
+            message: validationResult.error,
+            decisionId: decision.metadata.id,
+            constraintId: constraint.id,
+            file: filePath
+          });
+          if (reporter) {
+            reporter.add({
+              file: filePath,
+              decision,
+              constraint,
+              applied: false,
+              reason: `Params validation failed: ${validationResult.error}`
+            });
+          }
+          continue;
+        }
+      }
+      const verificationContext = {
+        filePath,
+        sourceFile,
+        constraint,
+        decisionId: decision.metadata.id,
+        signal
+      };
+      const verificationStart = Date.now();
+      try {
+        constraintViolations = await verifier.verify(verificationContext);
+        violations.push(...constraintViolations);
+        if (fileHash) {
+          resultsCache.set(
+            {
+              filePath,
+              decisionId: decision.metadata.id,
+              constraintId: constraint.id,
+              fileHash
+            },
+            constraintViolations
+          );
+        }
+        if (reporter) {
+          reporter.add({
+            file: filePath,
+            decision,
+            constraint,
+            applied: true,
+            reason: "Constraint matches file scope",
+            selectedVerifier: verifier.id,
+            verifierOutput: {
+              violations: constraintViolations.length,
+              duration: Date.now() - verificationStart
+            }
+          });
+        }
+      } catch (error) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        const errorStack = error instanceof Error ? error.stack : void 0;
+        logger2.error(
+          {
+            verifierId: verifier.id,
+            filePath,
+            decisionId: decision.metadata.id,
+            constraintId: constraint.id,
+            error: errorMessage,
+            stack: errorStack
+          },
+          "Verifier execution failed"
+        );
+        errors.push({
+          type: "verifier_exception",
+          message: `Verifier '${verifier.id}' failed: ${errorMessage}`,
+          decisionId: decision.metadata.id,
+          constraintId: constraint.id,
+          file: filePath,
+          stack: errorStack
+        });
+        if (reporter) {
+          reporter.add({
+            file: filePath,
+            decision,
+            constraint,
+            applied: true,
+            reason: "Constraint matches file scope",
+            selectedVerifier: verifier.id,
+            verifierOutput: {
+              violations: 0,
+              duration: Date.now() - verificationStart,
+              error: errorMessage
+            }
+          });
+        }
       }
-      this.cache.set(filePath, {
-        sourceFile,
-        hash,
-        mtimeMs: stats.mtimeMs
-      });
-      return sourceFile;
-    } catch {
-      return null;
     }
   }
-  clear() {
-    this.cache.clear();
-  }
-  getStats() {
-    return {
-      entries: this.cache.size,
-      memoryEstimate: this.cache.size * 5e4
-      // Rough estimate: 50KB per AST
-    };
+  return { violations, warnings, errors };
+}
+async function verifyFilesInBatches(options) {
+  const { files, signal, verifyFile, onFileVerified, batchSize = 50 } = options;
+  for (let i = 0; i < files.length; i += batchSize) {
+    if (signal.aborted) {
+      break;
+    }
+    const batch = files.slice(i, i + batchSize);
+    const results = await Promise.all(batch.map((filePath) => verifyFile(filePath)));
+    for (const result of results) {
+      onFileVerified(result);
+    }
   }
-};
+}
 
 // src/verification/results-cache.ts
 var ResultsCache = class {
@@ -3233,30 +3469,63 @@ var ResultsCache = class {
   }
 };
 
-// src/verification/applicability.ts
-function isConstraintExcepted(filePath, constraint, cwd) {
-  if (!constraint.exceptions) return false;
-  return constraint.exceptions.some((exception) => {
-    if (exception.expiresAt) {
-      const expiryDate = new Date(exception.expiresAt);
-      if (expiryDate < /* @__PURE__ */ new Date()) {
-        return false;
-      }
-    }
-    return matchesPattern(filePath, exception.pattern, { cwd });
+// src/verification/run-settings.ts
+function resolveVerificationRunOptions(config, options) {
+  const level = options.level || "full";
+  const levelConfig = config.verification?.levels?.[level];
+  const severityFilter = options.severity || levelConfig?.severity;
+  const timeout = options.timeout || levelConfig?.timeout || 6e4;
+  return {
+    level,
+    specificFiles: options.files,
+    decisionIds: options.decisions,
+    severityFilter,
+    timeout,
+    cwd: options.cwd || process.cwd()
+  };
+}
+function selectDecisionsForRun(decisions, decisionIds) {
+  if (!decisionIds || decisionIds.length === 0) {
+    return decisions;
+  }
+  return decisions.filter((decision) => decisionIds.includes(decision.metadata.id));
+}
+async function resolveFilesForRun(config, specificFiles, cwd) {
+  if (specificFiles) {
+    return specificFiles;
+  }
+  return glob(config.project.sourceRoots, {
+    cwd,
+    ignore: config.project.exclude,
+    absolute: true
   });
 }
-function shouldApplyConstraintToFile(params) {
-  const { filePath, constraint, cwd, severityFilter } = params;
-  if (!matchesPattern(filePath, constraint.scope, { cwd })) return false;
-  if (severityFilter && !severityFilter.includes(constraint.severity)) return false;
-  if (isConstraintExcepted(filePath, constraint, cwd)) return false;
-  return true;
+function createEmptyRunResult(startTime) {
+  return {
+    success: true,
+    violations: [],
+    checked: 0,
+    passed: 0,
+    failed: 0,
+    skipped: 0,
+    duration: Date.now() - startTime,
+    warnings: [],
+    errors: []
+  };
+}
+function hasBlockingViolations(violations, level) {
+  return violations.some((violation) => {
+    if (level === "commit") {
+      return violation.type === "invariant" || violation.severity === "critical";
+    }
+    if (level === "pr") {
+      return violation.type === "invariant" || violation.severity === "critical" || violation.severity === "high";
+    }
+    return violation.type === "invariant";
+  });
 }
 
 // src/verification/engine.ts
-import { createHash as createHash2 } from "crypto";
-import { readFile as readFile3 } from "fs/promises";
 var VerificationEngine = class {
   registry;
   project;
@@ -3283,333 +3552,90 @@ var VerificationEngine = class {
    */
   async verify(config, options = {}) {
     const startTime = Date.now();
-    const {
-      level = "full",
-      files: specificFiles,
-      decisions: decisionIds,
-      cwd = process.cwd()
-    } = options;
-    const levelConfig = config.verification?.levels?.[level];
-    const severityFilter = options.severity || levelConfig?.severity;
-    const timeout = options.timeout || levelConfig?.timeout || 6e4;
-    if (!this.pluginsLoaded) {
-      await getPluginLoader().loadPlugins(cwd);
-      this.pluginsLoaded = true;
-    }
+    const settings = resolveVerificationRunOptions(config, options);
+    await this.ensurePluginsLoaded(settings.cwd);
     await this.registry.load();
-    let decisions = this.registry.getActive();
-    if (decisionIds && decisionIds.length > 0) {
-      decisions = decisions.filter((d) => decisionIds.includes(d.metadata.id));
-    }
-    const filesToVerify = specificFiles ? specificFiles : await glob(config.project.sourceRoots, {
-      cwd,
-      ignore: config.project.exclude,
-      absolute: true
-    });
+    const decisions = selectDecisionsForRun(this.registry.getActive(), settings.decisionIds);
+    const filesToVerify = await resolveFilesForRun(config, settings.specificFiles, settings.cwd);
     if (filesToVerify.length === 0) {
-      return {
-        success: true,
-        violations: [],
-        checked: 0,
-        passed: 0,
-        failed: 0,
-        skipped: 0,
-        duration: Date.now() - startTime,
-        warnings: [],
-        errors: []
-      };
+      return createEmptyRunResult(startTime);
     }
-    const allViolations = [];
-    const allWarnings = [];
-    const allErrors = [];
-    let checked = 0;
-    let passed = 0;
-    let failed = 0;
-    const skipped = 0;
+    const accumulator = this.createAccumulator();
     const abortController = new AbortController();
     let timeoutHandle = null;
     const timeoutPromise = new Promise((resolve2) => {
       timeoutHandle = setTimeout(() => {
         abortController.abort();
         resolve2("timeout");
-      }, timeout);
+      }, settings.timeout);
       timeoutHandle.unref();
     });
-    const verificationPromise = this.verifyFiles(
-      filesToVerify,
-      decisions,
-      severityFilter,
-      cwd,
-      options.reporter,
-      abortController.signal,
-      (violations, warnings, errors) => {
-        allViolations.push(...violations);
-        allWarnings.push(...warnings);
-        allErrors.push(...errors);
-        checked++;
-        if (violations.length > 0) {
-          failed++;
-        } else {
-          passed++;
-        }
-      }
-    );
-    let result;
+    const verificationPromise = verifyFilesInBatches({
+      files: filesToVerify,
+      signal: abortController.signal,
+      verifyFile: (filePath) => this.verifyFile(
+        filePath,
+        decisions,
+        settings.severityFilter,
+        settings.cwd,
+        options.reporter,
+        abortController.signal
+      ),
+      onFileVerified: (result) => this.addFileResult(accumulator, result)
+    });
+    let raceResult;
     try {
-      result = await Promise.race([verificationPromise, timeoutPromise]);
-      if (result === "timeout") {
-        return {
-          success: false,
-          violations: allViolations,
-          checked,
-          passed,
-          failed,
-          skipped: filesToVerify.length - checked,
-          duration: timeout,
-          warnings: allWarnings,
-          errors: allErrors
-        };
-      }
+      raceResult = await Promise.race([verificationPromise, timeoutPromise]);
     } finally {
       if (timeoutHandle) {
         clearTimeout(timeoutHandle);
-        timeoutHandle = null;
       }
     }
-    const hasBlockingViolations = allViolations.some((v) => {
-      if (level === "commit") {
-        return v.type === "invariant" || v.severity === "critical";
-      }
-      if (level === "pr") {
-        return v.type === "invariant" || v.severity === "critical" || v.severity === "high";
-      }
-      return v.type === "invariant";
-    });
+    if (raceResult === "timeout") {
+      return {
+        success: false,
+        violations: accumulator.violations,
+        checked: accumulator.checked,
+        passed: accumulator.passed,
+        failed: accumulator.failed,
+        skipped: filesToVerify.length - accumulator.checked,
+        duration: settings.timeout,
+        warnings: accumulator.warnings,
+        errors: accumulator.errors
+      };
+    }
     return {
-      success: !hasBlockingViolations,
-      violations: allViolations,
-      checked,
-      passed,
-      failed,
-      skipped,
+      success: !hasBlockingViolations(accumulator.violations, settings.level),
+      violations: accumulator.violations,
+      checked: accumulator.checked,
+      passed: accumulator.passed,
+      failed: accumulator.failed,
+      skipped: 0,
       duration: Date.now() - startTime,
-      warnings: allWarnings,
-      errors: allErrors
+      warnings: accumulator.warnings,
+      errors: accumulator.errors
     };
   }
   /**
    * Verify a single file
    */
   async verifyFile(filePath, decisions, severityFilter, cwd = process.cwd(), reporter, signal) {
-    const violations = [];
-    const warnings = [];
-    const errors = [];
-    if (signal?.aborted) {
-      return { violations, warnings, errors };
-    }
-    const sourceFile = await this.astCache.get(filePath, this.project);
-    if (!sourceFile) return { violations, warnings, errors };
-    let fileHash = null;
-    try {
-      const content = await readFile3(filePath, "utf-8");
-      fileHash = createHash2("sha256").update(content).digest("hex");
-    } catch {
-      fileHash = null;
-    }
-    for (const decision of decisions) {
-      for (const constraint of decision.constraints) {
-        if (!shouldApplyConstraintToFile({ filePath, constraint, cwd, severityFilter })) {
-          if (reporter) {
-            reporter.add({
-              file: filePath,
-              decision,
-              constraint,
-              applied: false,
-              reason: "File does not match scope pattern or severity filter"
-            });
-          }
-          continue;
-        }
-        const verifier = selectVerifierForConstraint(
-          constraint.rule,
-          constraint.verifier,
-          constraint.check
-        );
-        if (!verifier) {
-          const requestedVerifier = constraint.check?.verifier || constraint.verifier || "auto-detected";
-          this.logger.warn(
-            {
-              decisionId: decision.metadata.id,
-              constraintId: constraint.id,
-              requestedVerifier,
-              availableVerifiers: getVerifierIds()
-            },
-            "No verifier found for constraint"
-          );
-          warnings.push({
-            type: "missing_verifier",
-            message: `No verifier found for constraint (requested: ${requestedVerifier})`,
-            decisionId: decision.metadata.id,
-            constraintId: constraint.id,
-            file: filePath
-          });
-          if (reporter) {
-            reporter.add({
-              file: filePath,
-              decision,
-              constraint,
-              applied: false,
-              reason: `No verifier found (requested: ${requestedVerifier})`
-            });
-          }
-          continue;
-        }
-        let constraintViolations;
-        if (fileHash) {
-          const cacheKey = {
-            filePath,
-            decisionId: decision.metadata.id,
-            constraintId: constraint.id,
-            fileHash
-          };
-          const cached = this.resultsCache.get(cacheKey);
-          if (cached) {
-            constraintViolations = cached;
-            violations.push(...constraintViolations);
-            if (reporter) {
-              reporter.add({
-                file: filePath,
-                decision,
-                constraint,
-                applied: true,
-                reason: "Constraint matches file scope (cached)",
-                selectedVerifier: verifier.id
-              });
-            }
-            continue;
-          }
-        }
-        if (constraint.check?.verifier && constraint.check?.params) {
-          const pluginLoader2 = getPluginLoader();
-          const validationResult = pluginLoader2.validateParams(
-            constraint.check.verifier,
-            constraint.check.params
-          );
-          if (!validationResult.success) {
-            warnings.push({
-              type: "invalid_params",
-              message: validationResult.error,
-              decisionId: decision.metadata.id,
-              constraintId: constraint.id,
-              file: filePath
-            });
-            if (reporter) {
-              reporter.add({
-                file: filePath,
-                decision,
-                constraint,
-                applied: false,
-                reason: `Params validation failed: ${validationResult.error}`
-              });
-            }
-            continue;
-          }
-        }
-        const ctx = {
-          filePath,
-          sourceFile,
-          constraint,
-          decisionId: decision.metadata.id,
-          signal
-        };
-        const verificationStart = Date.now();
-        try {
-          constraintViolations = await verifier.verify(ctx);
-          violations.push(...constraintViolations);
-          if (fileHash) {
-            this.resultsCache.set(
-              {
-                filePath,
-                decisionId: decision.metadata.id,
-                constraintId: constraint.id,
-                fileHash
-              },
-              constraintViolations
-            );
-          }
-          if (reporter) {
-            reporter.add({
-              file: filePath,
-              decision,
-              constraint,
-              applied: true,
-              reason: "Constraint matches file scope",
-              selectedVerifier: verifier.id,
-              verifierOutput: {
-                violations: constraintViolations.length,
-                duration: Date.now() - verificationStart
-              }
-            });
-          }
-        } catch (error) {
-          const errorMessage = error instanceof Error ? error.message : String(error);
-          const errorStack = error instanceof Error ? error.stack : void 0;
-          this.logger.error(
-            {
-              verifierId: verifier.id,
-              filePath,
-              decisionId: decision.metadata.id,
-              constraintId: constraint.id,
-              error: errorMessage,
-              stack: errorStack
-            },
-            "Verifier execution failed"
-          );
-          errors.push({
-            type: "verifier_exception",
-            message: `Verifier '${verifier.id}' failed: ${errorMessage}`,
-            decisionId: decision.metadata.id,
-            constraintId: constraint.id,
-            file: filePath,
-            stack: errorStack
-          });
-          if (reporter) {
-            reporter.add({
-              file: filePath,
-              decision,
-              constraint,
-              applied: true,
-              reason: "Constraint matches file scope",
-              selectedVerifier: verifier.id,
-              verifierOutput: {
-                violations: 0,
-                duration: Date.now() - verificationStart,
-                error: errorMessage
-              }
-            });
-          }
-        }
-      }
-    }
-    return { violations, warnings, errors };
-  }
-  /**
-   * Verify multiple files
-   */
-  async verifyFiles(files, decisions, severityFilter, cwd, reporter, signal, onFileVerified) {
-    const BATCH_SIZE = 50;
-    for (let i = 0; i < files.length; i += BATCH_SIZE) {
-      if (signal.aborted) {
-        break;
-      }
-      const batch = files.slice(i, i + BATCH_SIZE);
-      const results = await Promise.all(
-        batch.map((file) => this.verifyFile(file, decisions, severityFilter, cwd, reporter, signal))
-      );
-      for (const result of results) {
-        onFileVerified(result.violations, result.warnings, result.errors);
+    return verifySingleFile(
+      {
+        filePath,
+        decisions,
+        severityFilter,
+        cwd,
+        reporter,
+        signal
+      },
+      {
+        project: this.project,
+        astCache: this.astCache,
+        resultsCache: this.resultsCache,
+        logger: this.logger
       }
-    }
+    );
   }
   /**
    * Get registry
@@ -3617,6 +3643,34 @@ var VerificationEngine = class {
   getRegistry() {
     return this.registry;
   }
+  async ensurePluginsLoaded(cwd) {
+    if (this.pluginsLoaded) {
+      return;
+    }
+    await getPluginLoader().loadPlugins(cwd);
+    this.pluginsLoaded = true;
+  }
+  createAccumulator() {
+    return {
+      violations: [],
+      warnings: [],
+      errors: [],
+      checked: 0,
+      passed: 0,
+      failed: 0
+    };
+  }
+  addFileResult(accumulator, result) {
+    accumulator.violations.push(...result.violations);
+    accumulator.warnings.push(...result.warnings);
+    accumulator.errors.push(...result.errors);
+    accumulator.checked++;
+    if (result.violations.length > 0) {
+      accumulator.failed++;
+    } else {
+      accumulator.passed++;
+    }
+  }
 };
 function createVerificationEngine(registry) {
   return new VerificationEngine(registry);
@@ -5382,12 +5436,11 @@ async function generateFormattedContext(filePath, config, options = {}) {
 
 // src/cli/commands/context.ts
 var contextCommand = new Command11("context").description("Generate architectural context for a file (for AI agents)").argument("<file>", "File path to generate context for").option("-f, --format <format>", "Output format (markdown, json, mcp)", "markdown").option("-o, --output <file>", "Output file path").option("--no-rationale", "Exclude rationale/summary from output").action(async (file, options) => {
-  const cwd = process.cwd();
-  if (!await pathExists(getSpecBridgeDir(cwd))) {
-    throw new NotInitializedError();
-  }
   try {
-    const config = await loadConfig(cwd);
+    const { context, config } = await createConfiguredCommandContext({
+      outputFormat: options.format === "json" ? "json" : "markdown"
+    });
+    const { cwd } = context;
     const output = await generateFormattedContext(file, config, {
       format: options.format,
       includeRationale: options.rationale !== false,
@@ -5641,11 +5694,8 @@ import chalk14 from "chalk";
 import chokidar from "chokidar";
 import path4 from "path";
 var watchCommand = new Command13("watch").description("Watch for changes and verify files continuously").option("-l, --level <level>", "Verification level (commit, pr, full)", "full").option("--debounce <ms>", "Debounce verify on rapid changes", "150").action(async (options) => {
-  const cwd = process.cwd();
-  if (!await pathExists(getSpecBridgeDir(cwd))) {
-    throw new NotInitializedError();
-  }
-  const config = await loadConfig(cwd);
+  const { context, config } = await createConfiguredCommandContext();
+  const { cwd } = context;
   const engine = createVerificationEngine();
   const level = options.level || "full";
   const debounceMs = Number.parseInt(options.debounce || "150", 10);
@@ -6183,10 +6233,10 @@ var AnalyticsEngine = class {
 
 // src/cli/commands/analytics.ts
 var analyticsCommand = new Command16("analytics").description("Analyze compliance trends and decision impact").argument("[decision-id]", "Specific decision to analyze").option("--insights", "Show AI-generated insights").option("--days <n>", "Number of days of history to analyze", "90").option("-f, --format <format>", "Output format (console, json)", "console").action(async (decisionId, options) => {
-  const cwd = process.cwd();
-  if (!await pathExists(getSpecBridgeDir(cwd))) {
-    throw new NotInitializedError();
-  }
+  const { context } = await createConfiguredCommandContext({
+    outputFormat: options.format === "json" ? "json" : "console"
+  });
+  const { cwd } = context;
   const spinner = ora7("Analyzing compliance data...").start();
   try {
     const storage = new ReportStorage(cwd);
@@ -6639,13 +6689,10 @@ function createDashboardServer(options) {
 
 // src/cli/commands/dashboard.ts
 var dashboardCommand = new Command17("dashboard").description("Start compliance dashboard web server").option("-p, --port <port>", "Port to listen on", "3000").option("-h, --host <host>", "Host to bind to", "localhost").action(async (options) => {
-  const cwd = process.cwd();
-  if (!await pathExists(getSpecBridgeDir(cwd))) {
-    throw new NotInitializedError();
-  }
   console.log(chalk16.blue("Starting SpecBridge dashboard..."));
   try {
-    const config = await loadConfig(cwd);
+    const { context, config } = await createConfiguredCommandContext();
+    const { cwd } = context;
     const server = createDashboardServer({ cwd, config });
     await server.start();
     const port = parseInt(options.port || "3000", 10);
@@ -6891,13 +6938,12 @@ function createPropagationEngine(registry) {
 
 // src/cli/commands/impact.ts
 var impactCommand = new Command18("impact").description("Analyze impact of decision changes").argument("<decision-id>", "Decision ID to analyze").option("-c, --change <type>", "Type of change (created, modified, deprecated)", "modified").option("--json", "Output as JSON").option("--show-steps", "Show detailed migration steps", true).action(async (decisionId, options) => {
-  const cwd = process.cwd();
-  if (!await pathExists(getSpecBridgeDir(cwd))) {
-    throw new NotInitializedError();
-  }
   const spinner = ora8("Loading configuration...").start();
   try {
-    const config = await loadConfig(cwd);
+    const { context, config } = await createConfiguredCommandContext({
+      outputFormat: options.json ? "json" : "console"
+    });
+    const { cwd } = context;
     const changeType = options.change || "modified";
     if (!["created", "modified", "deprecated"].includes(changeType)) {
       spinner.fail();