@kernlang/review 3.3.9 → 3.4.1

package/dist/rule-quality.js

@@ -0,0 +1,357 @@
+import { getRuleRegistry } from './rules/index.js';
+const GUARD_ADVISORY_RULES = new Set([
+    'dead-export',
+    'sync-in-async',
+    'cognitive-complexity',
+    'handler-size',
+    'unhandled-async',
+]);
+let ruleInfoById;
+function getRuleInfoMap() {
+    if (ruleInfoById)
+        return ruleInfoById;
+    ruleInfoById = new Map();
+    for (const info of getRuleRegistry()) {
+        if (!ruleInfoById.has(info.id)) {
+            ruleInfoById.set(info.id, info);
+        }
+    }
+    return ruleInfoById;
+}
+function inferredPrecision(info) {
+    return info.precision ?? 'medium';
+}
+function inferredLifecycle(info, precision) {
+    if (info.lifecycle)
+        return info.lifecycle;
+    if (precision === 'experimental')
+        return 'experimental';
+    if ((info.rolloutPhase ?? 0) > 0)
+        return 'candidate';
+    return 'stable';
+}
+function inferredCiDefault(info, precision, lifecycle) {
+    if (info.ciDefault)
+        return info.ciDefault;
+    if (info.severity === 'info')
+        return 'off';
+    if (precision === 'experimental' || lifecycle === 'experimental')
+        return 'off';
+    if (precision === 'medium' || lifecycle === 'candidate')
+        return 'guarded';
+    return 'on';
+}
+export function getRuleQualityProfile(ruleId) {
+    const info = getRuleInfoMap().get(ruleId);
+    if (!info)
+        return undefined;
+    const precision = inferredPrecision(info);
+    const lifecycle = inferredLifecycle(info, precision);
+    const ciDefault = inferredCiDefault(info, precision, lifecycle);
+    return { ...info, precision, lifecycle, ciDefault };
+}
+export function isRulePromotedForCi(ruleId) {
+    const profile = getRuleQualityProfile(ruleId);
+    return profile?.ciDefault === 'on' && profile.lifecycle === 'stable';
+}
+/**
+ * Apply review-mode calibration after confidence assignment and before suppression.
+ *
+ * Guard mode is the default for PR/CI review. It keeps high-signal errors visible,
+ * but softens advisory and experimental findings to info so they do not compete
+ * with correctness/security findings. Audit mode preserves original severities for
+ * local investigations.
+ *
+ * Idempotent: each finding is calibrated at most once per process lifetime. The
+ * `calibrated` flag prevents compounding multipliers when graph-mode rerun unions
+ * already-calibrated per-file findings with newly-injected cross-file findings.
+ *
+ * Records each acting stage on `finding.calibrationTrail` so audit policy can
+ * surface the calibration chain without recomputing it.
+ */
+export function applyRuleQualityCalibration(findings, config) {
+    if (config?.crossStackMode === 'audit')
+        return;
+    for (const finding of findings) {
+        if (finding.calibrated)
+            continue;
+        const profile = getRuleQualityProfile(finding.ruleId);
+        const shouldDemote = GUARD_ADVISORY_RULES.has(finding.ruleId) ||
+            profile?.ciDefault === 'off' ||
+            profile?.precision === 'experimental' ||
+            profile?.lifecycle === 'experimental';
+        if (shouldDemote && finding.severity !== 'error') {
+            const before = finding.severity;
+            finding.severity = 'info';
+            recordCalibration(finding, {
+                stage: 'rule-quality:demote-advisory',
+                factor: 1,
+                reason: GUARD_ADVISORY_RULES.has(finding.ruleId)
+                    ? 'rule on guard-advisory list'
+                    : `rule lifecycle=${profile?.lifecycle ?? 'unknown'} precision=${profile?.precision ?? 'unknown'}`,
+                beforeSeverity: before,
+                afterSeverity: 'info',
+            });
+        }
+        if ((profile?.precision === 'experimental' || profile?.lifecycle === 'experimental') &&
+            finding.confidence !== undefined &&
+            finding.confidence > 0.6) {
+            const before = finding.confidence;
+            finding.confidence = 0.6;
+            recordCalibration(finding, {
+                stage: 'rule-quality:experimental-cap',
+                factor: 0.6 / before,
+                reason: 'experimental rule capped at 0.6',
+                beforeConfidence: before,
+                afterConfidence: 0.6,
+            });
+        }
+        finding.calibrated = true;
+    }
+}
+/** Append a calibration stage to a finding's trail. */
+export function recordCalibration(finding, stage) {
+    if (!finding.calibrationTrail)
+        finding.calibrationTrail = [];
+    finding.calibrationTrail.push(stage);
+}
+/**
+ * Per-rule confidence multipliers per file role. Default factor is 1.0 (no change).
+ *
+ * Design constraints driven by the Phase 1 red-team:
+ *  - **No wildcards.** Every (role, ruleId) pair must be explicit. A `'*':0`
+ *    entry would silently nuke security findings on any file misclassified as
+ *    codegen — every entry is enumerated to avoid that.
+ *  - **Security-layer rules are excluded by construction** at lookup time
+ *    (see `roleMultiplierFor`). Even if a future edit accidentally lists a
+ *    security rule here, it is ignored.
+ *  - **NaN-safe.** Lookup returns 1 for any unmapped pair; we never let
+ *    `undefined * confidence` propagate.
+ */
+const ROLE_MULTIPLIER = {
+    barrel: {
+        'dead-export': 0,
+        'cognitive-complexity': 0,
+        'handler-size': 0,
+        'unhandled-async': 0.5,
+    },
+    codegen: {
+        'dead-export': 0,
+        'cognitive-complexity': 0,
+        'handler-size': 0,
+        'sync-in-async': 0,
+        'unhandled-async': 0,
+        'extra-code': 0,
+        'inconsistent-pattern': 0,
+        'style-difference': 0,
+        'missing-type': 0,
+    },
+    example: {
+        'dead-export': 0,
+        'public-api': 0,
+        'unhandled-async': 0.5,
+        'cognitive-complexity': 0.5,
+    },
+    test: {
+        'handler-size': 0.3,
+        'sync-in-async': 0,
+        'cognitive-complexity': 0.5,
+        'dead-export': 0,
+    },
+    'rule-definition': {
+        'cognitive-complexity': 0,
+    },
+    runtime: {},
+};
+/** Layer prefixes that are protected from any role multiplier. */
+const PROTECTED_LAYER_PREFIXES = ['security'];
+function isProtectedRule(ruleId) {
+    const info = getRuleInfoMap().get(ruleId);
+    if (!info)
+        return false;
+    return PROTECTED_LAYER_PREFIXES.some((prefix) => info.layer.startsWith(prefix));
+}
+/** Look up the role-aware multiplier for a finding. Always returns a finite number in [0, 1]. */
+export function roleMultiplierFor(role, ruleId) {
+    if (isProtectedRule(ruleId))
+        return 1;
+    const fromTable = ROLE_MULTIPLIER[role]?.[ruleId];
+    if (typeof fromTable !== 'number' || !Number.isFinite(fromTable))
+        return 1;
+    return Math.max(0, Math.min(1, fromTable));
+}
+/**
+ * Maps a kern rule to the external linter rules that already cover the same
+ * concern. If the user has any of these enabled at error/warn, kern's finding
+ * is duplicate noise and gets demoted to info.
+ *
+ * Phase 1 red-team explicitly cautioned against a static table — the right
+ * long-term answer is querying the live ESLint instance per-file, which honors
+ * `overrides`. That requires async pre-warm. As a sync first cut we use the
+ * project-level config; coverage is honest about its limits (no per-file
+ * overrides honored) but the common case (one .eslintrc.json at root) works.
+ *
+ * Security-layer rules are NOT listed here: even if eslint has a similar
+ * rule, kern's output is independently valuable (different detection model,
+ * audit-trail integrity).
+ */
+const KERN_TO_EXTERNAL = {
+    'dead-export': {
+        eslint: ['no-unused-vars', '@typescript-eslint/no-unused-vars'],
+        biome: ['noUnusedVariables'],
+    },
+    'unused-import': {
+        eslint: ['no-unused-vars', '@typescript-eslint/no-unused-vars', 'unused-imports/no-unused-imports'],
+        biome: ['noUnusedImports'],
+    },
+    'sync-in-async': {
+        eslint: ['@typescript-eslint/no-misused-promises', 'no-misused-promises'],
+    },
+    'unhandled-async': {
+        eslint: ['@typescript-eslint/no-floating-promises', 'no-floating-promises'],
+    },
+};
+/** Look up overlap entry; isProtectedRule already shields the security layer. */
+function overlapTargetsFor(ruleId) {
+    if (isProtectedRule(ruleId))
+        return undefined;
+    return KERN_TO_EXTERNAL[ruleId];
+}
+/**
+ * Demote kern findings whose external counterpart is configured at error/warn
+ * in the project. Demotion (severity → info, confidence × 0.5) preserves the
+ * finding for telemetry while taking it out of the CI gate. Skipped in audit.
+ */
+export function applyOverlapCalibration(findings, external, config) {
+    if (config?.crossStackMode === 'audit')
+        return;
+    if (external.eslintEnabledRules.size === 0 && external.biomeEnabledRules.size === 0)
+        return;
+    for (const finding of findings) {
+        if (finding.calibrated)
+            continue;
+        const targets = overlapTargetsFor(finding.ruleId);
+        if (!targets)
+            continue;
+        const matchedEslint = targets.eslint?.find((r) => external.eslintEnabledRules.has(r));
+        const matchedBiome = targets.biome?.find((r) => external.biomeEnabledRules.has(r));
+        if (!matchedEslint && !matchedBiome)
+            continue;
+        const which = matchedEslint ? `eslint:${matchedEslint}` : matchedBiome ? `biome:${matchedBiome}` : 'unknown';
+        const beforeSeverity = finding.severity;
+        if (finding.severity !== 'error' && finding.severity !== 'info') {
+            finding.severity = 'info';
+        }
+        let beforeConfidence;
+        let afterConfidence;
+        if (finding.confidence !== undefined) {
+            beforeConfidence = finding.confidence;
+            afterConfidence = finding.confidence * 0.5;
+            finding.confidence = afterConfidence;
+        }
+        recordCalibration(finding, {
+            stage: 'overlap:external-linter',
+            factor: 0.5,
+            reason: `external linter already enforces ${which}`,
+            beforeConfidence,
+            afterConfidence,
+            ...(beforeSeverity !== finding.severity ? { beforeSeverity, afterSeverity: finding.severity } : {}),
+        });
+    }
+}
+/**
+ * Apply role-aware confidence multipliers. Runs alongside applyRuleQualityCalibration
+ * in guard/ci policies; skipped in audit policy.
+ *
+ * Idempotent via the same `calibrated` flag: once a finding has been through any
+ * calibration stage it will not be touched again, so graph-mode rerun on a union
+ * does not compound multipliers.
+ */
+export function applyRoleAwareConfidence(findings, fileRole, config) {
+    if (config?.crossStackMode === 'audit')
+        return;
+    for (const finding of findings) {
+        if (finding.calibrated)
+            continue;
+        const factor = roleMultiplierFor(fileRole, finding.ruleId);
+        if (factor === 1)
+            continue;
+        if (finding.confidence !== undefined) {
+            const before = finding.confidence;
+            const after = before * factor;
+            finding.confidence = after;
+            recordCalibration(finding, {
+                stage: 'role-aware:confidence-multiplier',
+                factor,
+                reason: `role=${fileRole} reduces confidence on rule '${finding.ruleId}'`,
+                beforeConfidence: before,
+                afterConfidence: after,
+            });
+        }
+        else {
+            recordCalibration(finding, {
+                stage: 'role-aware:confidence-multiplier',
+                factor,
+                reason: `role=${fileRole} reduces confidence on rule '${finding.ruleId}' (no native confidence set)`,
+            });
+        }
+    }
+}
+export function applyRuleSupersession(findings, config) {
+    if (config?.crossStackMode === 'audit')
+        return [...findings];
+    const suppressedByRoot = new Map();
+    for (const finding of findings) {
+        const supersedes = getRuleQualityProfile(finding.ruleId)?.supersedes;
+        if (!supersedes || supersedes.length === 0)
+            continue;
+        const rootKey = findingRootKey(finding);
+        const existing = suppressedByRoot.get(rootKey) ?? new Set();
+        for (const ruleId of supersedes) {
+            existing.add(ruleId);
+        }
+        suppressedByRoot.set(rootKey, existing);
+    }
+    return findings.filter((finding) => {
+        const suppressed = suppressedByRoot.get(findingRootKey(finding));
+        return !suppressed?.has(finding.ruleId);
+    });
+}
+function findingRootKey(finding) {
+    if (finding.rootCause?.key)
+        return finding.rootCause.key;
+    const span = finding.primarySpan;
+    return `${span.file}:${span.startLine}:${span.startCol}`;
+}
+/**
+ * Lightweight self-check for registry hygiene. It is intentionally non-throwing so
+ * tests and tooling can decide whether to warn or fail.
+ */
+export function validateRuleQualityRegistry() {
+    const issues = [];
+    const seen = new Set();
+    for (const info of getRuleRegistry()) {
+        if (seen.has(info.id)) {
+            issues.push({ ruleId: info.id, message: 'duplicate rule registry entry' });
+            continue;
+        }
+        seen.add(info.id);
+        const profile = getRuleQualityProfile(info.id);
+        if (!profile)
+            continue;
+        if (profile.ciDefault === 'on' && !info.precision) {
+            issues.push({ ruleId: info.id, message: 'CI-on rule must declare precision explicitly' });
+        }
+        if (profile.ciDefault === 'on' && profile.lifecycle !== 'stable') {
+            issues.push({ ruleId: info.id, message: 'CI-on rule must be stable' });
+        }
+        if (profile.lifecycle === 'experimental' && profile.ciDefault === 'on') {
+            issues.push({ ruleId: info.id, message: 'experimental rule cannot default to CI-on' });
+        }
+        if (profile.precision === 'experimental' && profile.severity === 'error') {
+            issues.push({ ruleId: info.id, message: 'experimental rule should not default to error severity' });
+        }
+    }
+    return issues;
+}
+//# sourceMappingURL=rule-quality.js.map

package/dist/rule-quality.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-quality.js","sourceRoot":"","sources":["../src/rule-quality.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAiB,MAAM,kBAAkB,CAAC;AAalE,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,aAAa;IACb,eAAe;IACf,sBAAsB;IACtB,cAAc;IACd,iBAAiB;CAClB,CAAC,CAAC;AAEH,IAAI,YAA+C,CAAC;AAEpD,SAAS,cAAc;IACrB,IAAI,YAAY;QAAE,OAAO,YAAY,CAAC;IACtC,YAAY,GAAG,IAAI,GAAG,EAAE,CAAC;IACzB,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,EAAE,CAAC;QACrC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YAC/B,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IACD,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAc;IACvC,OAAO,IAAI,CAAC,SAAS,IAAI,QAAQ,CAAC;AACpC,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAc,EAAE,SAAwB;IACjE,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC;IAC1C,IAAI,SAAS,KAAK,cAAc;QAAE,OAAO,cAAc,CAAC;IACxD,IAAI,CAAC,IAAI,CAAC,YAAY,IAAI,CAAC,CAAC,GAAG,CAAC;QAAE,OAAO,WAAW,CAAC;IACrD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAc,EAAE,SAAwB,EAAE,SAAwB;IAC3F,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC;IAC1C,IAAI,IAAI,CAAC,QAAQ,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IAC3C,IAAI,SAAS,KAAK,cAAc,IAAI,SAAS,KAAK,cAAc;QAAE,OAAO,KAAK,CAAC;IAC/E,IAAI,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,WAAW;QAAE,OAAO,SAAS,CAAC;IAC1E,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,qBAAqB,CAAC,MAAc;IAClD,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI;QAAE,OAAO,SAAS,CAAC;IAC5B,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAC1C,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,EAAE,SAAS,CAAC,CAAC;IACrD,MAAM,SAAS,GAAG,iBAAiB,CAAC,IAAI,EAAE,SAAS,EAAE,SAAS,CAAC,CAAC;IAChE,OAAO,EAAE,GAAG,IAAI,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,mBAAmB,CAAC,MAAc;IAChD,MAAM,OAAO,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;IAC9C,OAAO,OAAO,EAAE,SAAS,KAAK,IAAI,IAAI,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC;AACvE,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,2BAA2B,CACzC,QAAyB,EACzB,MAA6C;IAE7C,IAAI,MAAM,EAAE,cAAc,KAAK,OAAO;QAAE,OAAO;IAE/C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,UAAU;YAAE,SAAS;QAEjC,MAAM,OAAO,GAAG,qBAAqB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACtD,MAAM,YAAY,GAChB,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;YACxC,OAAO,EAAE,SAAS,KAAK,KAAK;YAC5B,OAAO,EAAE,SAAS,KAAK,cAAc;YACrC,OAAO,EAAE,SAAS,KAAK,cAAc,CAAC;QAExC,IAAI,YAAY,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACjD,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC;YAChC,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC;YAC1B,iBAAiB,CAAC,OAAO,EAAE;gBACzB,KAAK,EAAE,8BAA8B;gBACrC,MAAM,EAAE,CAAC;gBACT,MAAM,EAAE,oBAAoB,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;oBAC9C,CAAC,CAAC,6BAA6B;oBAC/B,CAAC,CAAC,kBAAkB,OAAO,EAAE,SAAS,IAAI,SAAS,cAAc,OAAO,EAAE,SAAS,IAAI,SAAS,EAAE;gBACpG,cAAc,EAAE,MAAM;gBACtB,aAAa,EAAE,MAAM;aACtB,CAAC,CAAC;QACL,CAAC;QAED,IACE,CAAC,OAAO,EAAE,SAAS,KAAK,cAAc,IAAI,OAAO,EAAE,SAAS,KAAK,cAAc,CAAC;YAChF,OAAO,CAAC,UAAU,KAAK,SAAS;YAChC,OAAO,CAAC,UAAU,GAAG,GAAG,EACxB,CAAC;YACD,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;YAClC,OAAO,CAAC,UAAU,GAAG,GAAG,CAAC;YACzB,iBAAiB,CAAC,OAAO,EAAE;gBACzB,KAAK,EAAE,+BAA+B;gBACtC,MAAM,EAAE,GAAG,GAAG,MAAM;gBACpB,MAAM,EAAE,iCAAiC;gBACzC,gBAAgB,EAAE,MAAM;gBACxB,eAAe,EAAE,GAAG;aACrB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC;IAC5B,CAAC;AACH,CAAC;AAED,uDAAuD;AACvD,MAAM,UAAU,iBAAiB,CAAC,OAAsB,EAAE,KAAuB;IAC/E,IAAI,CAAC,OAAO,CAAC,gBAAgB;QAAE,OAAO,CAAC,gBAAgB,GAAG,EAAE,CAAC;IAC7D,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACvC,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,eAAe,GAAsD;IACzE,MAAM,EAAE;QACN,aAAa,EAAE,CAAC;QAChB,sBAAsB,EAAE,CAAC;QACzB,cAAc,EAAE,CAAC;QACjB,iBAAiB,EAAE,GAAG;KACvB;IACD,OAAO,EAAE;QACP,aAAa,EAAE,CAAC;QAChB,sBAAsB,EAAE,CAAC;QACzB,cAAc,EAAE,CAAC;QACjB,eAAe,EAAE,CAAC;QAClB,iBAAiB,EAAE,CAAC;QACpB,YAAY,EAAE,CAAC;QACf,sBAAsB,EAAE,CAAC;QACzB,kBAAkB,EAAE,CAAC;QACrB,cAAc,EAAE,CAAC;KAClB;IACD,OAAO,EAAE;QACP,aAAa,EAAE,CAAC;QAChB,YAAY,EAAE,CAAC;QACf,iBAAiB,EAAE,GAAG;QACtB,sBAAsB,EAAE,GAAG;KAC5B;IACD,IAAI,EAAE;QACJ,cAAc,EAAE,GAAG;QACnB,eAAe,EAAE,CAAC;QAClB,sBAAsB,EAAE,GAAG;QAC3B,aAAa,EAAE,CAAC;KACjB;IACD,iBAAiB,EAAE;QACjB,sBAAsB,EAAE,CAAC;KAC1B;IACD,OAAO,EAAE,EAAE;CACZ,CAAC;AAEF,kEAAkE;AAClE,MAAM,wBAAwB,GAAG,CAAC,UAAU,CAAC,CAAC;AAE9C,SAAS,eAAe,CAAC,MAAc;IACrC,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC1C,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IACxB,OAAO,wBAAwB,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC;AAClF,CAAC;AAED,iGAAiG;AACjG,MAAM,UAAU,iBAAiB,CAAC,IAAc,EAAE,MAAc;IAC9D,IAAI,eAAe,CAAC,MAAM,CAAC;QAAE,OAAO,CAAC,CAAC;IACtC,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC;IAClD,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,CAAC,CAAC;IAC3E,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC;AAC7C,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,gBAAgB,GAA4D;IAChF,aAAa,EAAE;QACb,MAAM,EAAE,CAAC,gBAAgB,EAAE,mCAAmC,CAAC;QAC/D,KAAK,EAAE,CAAC,mBAAmB,CAAC;KAC7B;IACD,eAAe,EAAE;QACf,MAAM,EAAE,CAAC,gBAAgB,EAAE,mCAAmC,EAAE,kCAAkC,CAAC;QACnG,KAAK,EAAE,CAAC,iBAAiB,CAAC;KAC3B;IACD,eAAe,EAAE;QACf,MAAM,EAAE,CAAC,wCAAwC,EAAE,qBAAqB,CAAC;KAC1E;IACD,iBAAiB,EAAE;QACjB,MAAM,EAAE,CAAC,yCAAyC,EAAE,sBAAsB,CAAC;KAC5E;CACF,CAAC;AAEF,iFAAiF;AACjF,SAAS,iBAAiB,CAAC,MAAc;IACvC,IAAI,eAAe,CAAC,MAAM,CAAC;QAAE,OAAO,SAAS,CAAC;IAC9C,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;AAClC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CACrC,QAAyB,EACzB,QAA8B,EAC9B,MAA6C;IAE7C,IAAI,MAAM,EAAE,cAAc,KAAK,OAAO;QAAE,OAAO;IAC/C,IAAI,QAAQ,CAAC,kBAAkB,CAAC,IAAI,KAAK,CAAC,IAAI,QAAQ,CAAC,iBAAiB,CAAC,IAAI,KAAK,CAAC;QAAE,OAAO;IAE5F,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,UAAU;YAAE,SAAS;QAEjC,MAAM,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAClD,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACtF,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACnF,IAAI,CAAC,aAAa,IAAI,CAAC,YAAY;YAAE,SAAS;QAE9C,MAAM,KAAK,GAAG,aAAa,CAAC,CAAC,CAAC,UAAU,aAAa,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS,YAAY,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QAE7G,MAAM,cAAc,GAAG,OAAO,CAAC,QAAQ,CAAC;QACxC,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YAChE,OAAO,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC5B,CAAC;QACD,IAAI,gBAAoC,CAAC;QACzC,IAAI,eAAmC,CAAC;QACxC,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACrC,gBAAgB,GAAG,OAAO,CAAC,UAAU,CAAC;YACtC,eAAe,GAAG,OAAO,CAAC,UAAU,GAAG,GAAG,CAAC;YAC3C,OAAO,CAAC,UAAU,GAAG,eAAe,CAAC;QACvC,CAAC;QACD,iBAAiB,CAAC,OAAO,EAAE;YACzB,KAAK,EAAE,yBAAyB;YAChC,MAAM,EAAE,GAAG;YACX,MAAM,EAAE,oCAAoC,KAAK,EAAE;YACnD,gBAAgB;YAChB,eAAe;YACf,GAAG,CAAC,cAAc,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,aAAa,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACpG,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,wBAAwB,CACtC,QAAyB,EACzB,QAAkB,EAClB,MAA6C;IAE7C,IAAI,MAAM,EAAE,cAAc,KAAK,OAAO;QAAE,OAAO;IAE/C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,OAAO,CAAC,UAAU;YAAE,SAAS;QAEjC,MAAM,MAAM,GAAG,iBAAiB,CAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;QAC3D,IAAI,MAAM,KAAK,CAAC;YAAE,SAAS;QAE3B,IAAI,OAAO,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACrC,MAAM,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC;YAClC,MAAM,KAAK,GAAG,MAAM,GAAG,MAAM,CAAC;YAC9B,OAAO,CAAC,UAAU,GAAG,KAAK,CAAC;YAC3B,iBAAiB,CAAC,OAAO,EAAE;gBACzB,KAAK,EAAE,kCAAkC;gBACzC,MAAM;gBACN,MAAM,EAAE,QAAQ,QAAQ,gCAAgC,OAAO,CAAC,MAAM,GAAG;gBACzE,gBAAgB,EAAE,MAAM;gBACxB,eAAe,EAAE,KAAK;aACvB,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,iBAAiB,CAAC,OAAO,EAAE;gBACzB,KAAK,EAAE,kCAAkC;gBACzC,MAAM;gBACN,MAAM,EAAE,QAAQ,QAAQ,gCAAgC,OAAO,CAAC,MAAM,8BAA8B;aACrG,CAAC,CAAC;QACL,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,QAAkC,EAClC,MAA6C;IAE7C,IAAI,MAAM,EAAE,cAAc,KAAK,OAAO;QAAE,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;IAE7D,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAuB,CAAC;IACxD,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,UAAU,GAAG,qBAAqB,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,UAAU,CAAC;QACrE,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAErD,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,EAAU,CAAC;QACpE,KAAK,MAAM,MAAM,IAAI,UAAU,EAAE,CAAC;YAChC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACvB,CAAC;QACD,gBAAgB,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE;QACjC,MAAM,UAAU,GAAG,gBAAgB,CAAC,GAAG,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC;QACjE,OAAO,CAAC,UAAU,EAAE,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,cAAc,CAAC,OAAsB;IAC5C,IAAI,OAAO,CAAC,SAAS,EAAE,GAAG;QAAE,OAAO,OAAO,CAAC,SAAS,CAAC,GAAG,CAAC;IACzD,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,CAAC;IACjC,OAAO,GAAG,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;AAC3D,CAAC;AAOD;;;GAGG;AACH,MAAM,UAAU,2BAA2B;IACzC,MAAM,MAAM,GAAuB,EAAE,CAAC;IACtC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,eAAe,EAAE,EAAE,CAAC;QACrC,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACtB,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC,CAAC;YAC3E,SAAS;QACX,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAElB,MAAM,OAAO,GAAG,qBAAqB,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO;YAAE,SAAS;QACvB,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAClD,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,8CAA8C,EAAE,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAC;QACzE,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,KAAK,cAAc,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;YACvE,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,2CAA2C,EAAE,CAAC,CAAC;QACzF,CAAC;QACD,IAAI,OAAO,CAAC,SAAS,KAAK,cAAc,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;YACzE,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,wDAAwD,EAAE,CAAC,CAAC;QACtG,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/rules/dead-code.d.ts

@@ -6,6 +6,6 @@
  */
 import type { CallGraph } from '../call-graph.js';
 import { type PublicApiMap } from '../public-api.js';
-import type { ReviewFinding } from '../types.js';
-export declare function deadExportRule(callGraph: CallGraph, filePath: string, publicApi?: PublicApiMap): ReviewFinding[];
+import type { ReachabilityBlocker, ReviewFinding } from '../types.js';
+export declare function deadExportRule(callGraph: CallGraph, filePath: string, publicApi?: PublicApiMap, blockers?: readonly ReachabilityBlocker[]): ReviewFinding[];
 export declare function crossFileAsyncRule(callGraph: CallGraph, filePath: string): ReviewFinding[];

package/dist/rules/dead-code.js

@@ -11,8 +11,54 @@ function span(file, line, col = 1) {
 }
 // ── Rule: dead-export ───────────────────────────────────────────────────
 // Exported function/variable that is never imported by any file in the graph.
-export function deadExportRule(callGraph, filePath, publicApi) {
+/**
+ * The confidence ceiling step 9b applies when a ReachabilityBlocker matches
+ * a finding's symbol scope. CAP, not floor: `Math.min(confidence, 0.4)`.
+ * A real floor would *raise* low-confidence findings (e.g. a 0.6 codegen-
+ * demoted dead-export bouncing back up to 0.4 — wait, 0.4 < 0.6, so a
+ * floor wouldn't help here, but the principle holds: blockers indicate
+ * uncertainty, they should never strengthen a finding). Codex flagged
+ * the floor-vs-cap terminology in plan-review #66 as a HIGH-severity
+ * gotcha; this constant is named CAP to make the intent obvious.
+ */
+const REACHABILITY_BLOCKER_CAP = 0.4;
+/**
+ * Match a (filePath, exportName) blocker against a finding, with the
+ * default-alias step 9a wired in: when the seed says `'default'` is
+ * blocked but the call graph stored the symbol under its declaration
+ * name (`'Page'`), the file's `defaultExportNames` entry tells us the
+ * two key the same on-disk symbol.
+ *
+ * Returns the matched blocker, or undefined when nothing applies.
+ */
+function findMatchingBlocker(blockers, filePath, exportName, defaultExportName) {
+    for (const b of blockers) {
+        if (b.filePath !== filePath)
+            continue;
+        if (b.exportName === exportName)
+            return b;
+        // Default alias: blocker says (path, 'default'), and `exportName` IS
+        // the file's default — same symbol.
+        if (b.exportName === 'default' && defaultExportName === exportName)
+            return b;
+    }
+    return undefined;
+}
+/**
+ * Public-API check with the step 9a default-alias wired in: a seed of
+ * `(filePath, 'default')` proves `(filePath, internalName)` is public
+ * when internalName IS the file's default export.
+ */
+function isPublicApiWithDefaultAlias(publicApi, filePath, exportName, defaultExportName) {
+    if (isPublicApi(publicApi, filePath, exportName))
+        return true;
+    if (defaultExportName === exportName && isPublicApi(publicApi, filePath, 'default'))
+        return true;
+    return false;
+}
+export function deadExportRule(callGraph, filePath, publicApi, blockers = []) {
     const findings = [];
+    const defaultExportName = callGraph.defaultExportNames.get(filePath);
     for (const key of callGraph.deadExports) {
         const fn = callGraph.functions.get(key);
         if (!fn || fn.filePath !== filePath)
@@ -23,7 +69,7 @@ export function deadExportRule(callGraph, filePath, publicApi) {
         // Skip intentional public API — package.json entries, curated barrels, config overrides.
         // External consumers (other packages, dynamic loaders, platform entry points) won't
         // appear in the analyzed graph, so their imports can't be observed.
-        if (publicApi && isPublicApi(publicApi, fn.filePath, fn.name))
+        if (publicApi && isPublicApiWithDefaultAlias(publicApi, fn.filePath, fn.name, defaultExportName))
             continue;
         // Class methods inherit public-API status from their enclosing class. The
         // call graph tracks `Class.method` as a separate exported symbol whose
@@ -40,11 +86,48 @@ export function deadExportRule(callGraph, filePath, publicApi) {
         // If lots of calls are unresolved, the dead export might actually be used via a dynamic path
         const totalCalls = [...callGraph.functions.values()].reduce((sum, f) => sum + f.calls.length, 0);
         const unresolvedRatio = totalCalls > 0 ? callGraph.unresolvedCallCount / totalCalls : 0;
-        const confidence = unresolvedRatio > 0.3 ? 0.6 : unresolvedRatio > 0.1 ? 0.7 : 0.85;
+        const baseConfidence = unresolvedRatio > 0.3 ? 0.6 : unresolvedRatio > 0.1 ? 0.7 : 0.85;
+        // Step 9b: symbol-scoped reachability blocker. When the graph couldn't
+        // prove this specific (file, name) is unreachable — say a candidate
+        // dead export is referenced by an unresolved re-export — the finding
+        // STILL emits (so telemetry sees it and fpRateEstimate stays honest)
+        // but at info severity with a CAP at 0.4 plus a calibration trail
+        // entry. Hard suppression was the v3 design that red-team killed:
+        // one weak signal silenced 50 unrelated symbols and fpRateEstimate
+        // went out of sync with reality.
+        const blocker = findMatchingBlocker(blockers, fn.filePath, fn.name, defaultExportName);
+        let severity = 'warning';
+        let confidence = baseConfidence;
+        let calibrationTrail;
+        if (blocker) {
+            severity = 'info';
+            const before = baseConfidence;
+            confidence = Math.min(before, REACHABILITY_BLOCKER_CAP);
+            // baseConfidence is one of the dead-export ladder values (0.6/0.7/0.85);
+            // it can never be 0, so the division is safe without a guard.
+            //
+            // INVARIANT — fresh array, never append. The trail is recreated each
+            // time deadExportRule fires, so it can't accumulate stages across
+            // repeated calls. This pairs with applyRuleQualityCalibration's
+            // `calibrated` guard (rule-quality.ts:91) to keep the trail length
+            // bounded across the lifetime of any single ReviewFinding object.
+            // If a future change introduces persistent ReviewFinding objects
+            // reused across watch-mode runs, BOTH guarantees must be revisited
+            // — see the idempotence test in rule-quality.test.ts:125.
+            calibrationTrail = [
+                {
+                    stage: 'reachability:blocker',
+                    factor: confidence / before,
+                    reason: blocker.reason,
+                    beforeConfidence: before,
+                    afterConfidence: confidence,
+                },
+            ];
+        }
         findings.push({
             source: 'kern',
             ruleId: 'dead-export',
-            severity: 'warning',
+            severity,
             category: 'structure',
             message: `Exported function '${fn.name}' is never imported in the analyzed codebase`,
             primarySpan: span(filePath, fn.line),
@@ -64,6 +147,7 @@ export function deadExportRule(callGraph, filePath, publicApi) {
                     },
                 ],
             },
+            ...(calibrationTrail ? { calibrationTrail } : {}),
         });
     }
     return findings;

package/dist/rules/dead-code.js.map

@@ -1 +1 @@
-{"version":3,"file":"dead-code.js","sourceRoot":"","sources":["../../src/rules/dead-code.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,WAAW,EAAqB,MAAM,kBAAkB,CAAC;AAElE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,SAAS,IAAI,CAAC,IAAY,EAAE,IAAY,EAAE,GAAG,GAAG,CAAC;IAC/C,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;AAC9E,CAAC;AAED,2EAA2E;AAC3E,8EAA8E;AAE9E,MAAM,UAAU,cAAc,CAAC,SAAoB,EAAE,QAAgB,EAAE,SAAwB;IAC7F,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,GAAG,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,QAAQ,KAAK,QAAQ;YAAE,SAAS;QAE9C,kBAAkB;QAClB,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,SAAS;QAE/E,yFAAyF;QACzF,oFAAoF;QACpF,oEAAoE;QACpE,IAAI,SAAS,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC;YAAE,SAAS;QAExE,0EAA0E;QAC1E,uEAAuE;QACvE,sEAAsE;QACtE,oEAAoE;QACpE,uEAAuE;QACvE,4DAA4D;QAC5D,IAAI,SAAS,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACxC,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC;gBAAE,SAAS;QAC/D,CAAC;QAED,oEAAoE;QACpE,6FAA6F;QAC7F,MAAM,UAAU,GAAG,CAAC,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACjG,MAAM,eAAe,GAAG,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,mBAAmB,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QACxF,MAAM,UAAU,GAAG,eAAe,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QAEpF,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,aAAa;YACrB,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,WAAW;YACrB,OAAO,EAAE,sBAAsB,EAAE,CAAC,IAAI,8CAA8C;YACpF,WAAW,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC;YACpC,WAAW,EAAE,iBAAiB,CAAC,aAAa,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YACzD,UAAU;YACV,UAAU,EAAE,+GAA+G;YAC3H,UAAU,EAAE;gBACV,OAAO,EACL,EAAE,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;oBACtB,CAAC,CAAC,wDAAwD,EAAE,CAAC,IAAI,IAAI;oBACrE,CAAC,CAAC,2CAA2C,EAAE,CAAC,IAAI,IAAI;gBAC5D,KAAK,EAAE;oBACL;wBACE,IAAI,EAAE,QAAQ;wBACd,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC;wBACjC,KAAK,EAAE,UAAU,EAAE,CAAC,IAAI,EAAE;wBAC1B,MAAM,EAAE,oBAAoB,EAAE,CAAC,IAAI,8DAA8D;qBAClG;iBACF;aACF;SACF,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,2EAA2E;AAC3E,2DAA2D;AAE3D,MAAM,UAAU,kBAAkB,CAAC,SAAoB,EAAE,QAAgB;IACvE,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC;QACzC,IAAI,EAAE,CAAC,QAAQ,KAAK,QAAQ;YAAE,SAAS;QAEvC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAE9C,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAC1D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,EAAE,OAAO;gBAAE,SAAS;YAE/B,oFAAoF;YACpF,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ;gBAAE,SAAS;YAE3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,kBAAkB;gBAC1B,QAAQ,EAAE,OAAO;gBACjB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,gBAAgB,IAAI,CAAC,UAAU,YAAY,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,oCAAoC;gBACxH,WAAW,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC;gBACtC,YAAY,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;gBAClD,WAAW,EAAE,iBAAiB,CAAC,kBAAkB,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBAChE,UAAU,EAAE,GAAG;gBACf,UAAU,EAAE,8EAA8E;gBAC1F,UAAU,EAAE;oBACV,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,kBAAkB,MAAM,CAAC,IAAI,0CAA0C;oBAC1F,KAAK,EAAE;wBACL;4BACE,IAAI,EAAE,MAAM;4BACZ,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC;4BACnC,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,QAAQ,IAAI,CAAC,UAAU,IAAI;4BAC5C,MAAM,EAAE,sBAAsB,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,kBAAkB;yBAC1E;wBACD;4BACE,IAAI,EAAE,MAAM;4BACZ,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC;4BAC5C,KAAK,EAAE,SAAS,MAAM,CAAC,IAAI,IAAI;4BAC/B,MAAM,EAAE,wCAAwC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG;yBACpF;qBACF;iBACF;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
+{"version":3,"file":"dead-code.js","sourceRoot":"","sources":["../../src/rules/dead-code.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,WAAW,EAAqB,MAAM,kBAAkB,CAAC;AAElE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAEhD,SAAS,IAAI,CAAC,IAAY,EAAE,IAAY,EAAE,GAAG,GAAG,CAAC;IAC/C,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,GAAG,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC;AAC9E,CAAC;AAED,2EAA2E;AAC3E,8EAA8E;AAE9E;;;;;;;;;GASG;AACH,MAAM,wBAAwB,GAAG,GAAG,CAAC;AAErC;;;;;;;;GAQG;AACH,SAAS,mBAAmB,CAC1B,QAAwC,EACxC,QAAgB,EAChB,UAAkB,EAClB,iBAAqC;IAErC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ;YAAE,SAAS;QACtC,IAAI,CAAC,CAAC,UAAU,KAAK,UAAU;YAAE,OAAO,CAAC,CAAC;QAC1C,qEAAqE;QACrE,oCAAoC;QACpC,IAAI,CAAC,CAAC,UAAU,KAAK,SAAS,IAAI,iBAAiB,KAAK,UAAU;YAAE,OAAO,CAAC,CAAC;IAC/E,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,SAAS,2BAA2B,CAClC,SAAuB,EACvB,QAAgB,EAChB,UAAkB,EAClB,iBAAqC;IAErC,IAAI,WAAW,CAAC,SAAS,EAAE,QAAQ,EAAE,UAAU,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,IAAI,iBAAiB,KAAK,UAAU,IAAI,WAAW,CAAC,SAAS,EAAE,QAAQ,EAAE,SAAS,CAAC;QAAE,OAAO,IAAI,CAAC;IACjG,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAC5B,SAAoB,EACpB,QAAgB,EAChB,SAAwB,EACxB,WAA2C,EAAE;IAE7C,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,iBAAiB,GAAG,SAAS,CAAC,kBAAkB,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IAErE,KAAK,MAAM,GAAG,IAAI,SAAS,CAAC,WAAW,EAAE,CAAC;QACxC,MAAM,EAAE,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,QAAQ,KAAK,QAAQ;YAAE,SAAS;QAE9C,kBAAkB;QAClB,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,SAAS;QAE/E,yFAAyF;QACzF,oFAAoF;QACpF,oEAAoE;QACpE,IAAI,SAAS,IAAI,2BAA2B,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,EAAE,iBAAiB,CAAC;YAAE,SAAS;QAE3G,0EAA0E;QAC1E,uEAAuE;QACvE,sEAAsE;QACtE,oEAAoE;QACpE,uEAAuE;QACvE,4DAA4D;QAC5D,IAAI,SAAS,IAAI,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvC,MAAM,SAAS,GAAG,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACxC,IAAI,WAAW,CAAC,SAAS,EAAE,EAAE,CAAC,QAAQ,EAAE,SAAS,CAAC;gBAAE,SAAS;QAC/D,CAAC;QAED,oEAAoE;QACpE,6FAA6F;QAC7F,MAAM,UAAU,GAAG,CAAC,GAAG,SAAS,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QACjG,MAAM,eAAe,GAAG,UAAU,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,mBAAmB,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;QACxF,MAAM,cAAc,GAAG,eAAe,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,eAAe,GAAG,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;QAExF,uEAAuE;QACvE,oEAAoE;QACpE,qEAAqE;QACrE,qEAAqE;QACrE,kEAAkE;QAClE,kEAAkE;QAClE,mEAAmE;QACnE,iCAAiC;QACjC,MAAM,OAAO,GAAG,mBAAmB,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,EAAE,iBAAiB,CAAC,CAAC;QACvF,IAAI,QAAQ,GAA8B,SAAS,CAAC;QACpD,IAAI,UAAU,GAAG,cAAc,CAAC;QAChC,IAAI,gBAAgD,CAAC;QACrD,IAAI,OAAO,EAAE,CAAC;YACZ,QAAQ,GAAG,MAAM,CAAC;YAClB,MAAM,MAAM,GAAG,cAAc,CAAC;YAC9B,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,wBAAwB,CAAC,CAAC;YACxD,yEAAyE;YACzE,8DAA8D;YAC9D,EAAE;YACF,qEAAqE;YACrE,kEAAkE;YAClE,gEAAgE;YAChE,mEAAmE;YACnE,kEAAkE;YAClE,iEAAiE;YACjE,mEAAmE;YACnE,0DAA0D;YAC1D,gBAAgB,GAAG;gBACjB;oBACE,KAAK,EAAE,sBAAsB;oBAC7B,MAAM,EAAE,UAAU,GAAG,MAAM;oBAC3B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,gBAAgB,EAAE,MAAM;oBACxB,eAAe,EAAE,UAAU;iBAC5B;aACF,CAAC;QACJ,CAAC;QAED,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM,EAAE,aAAa;YACrB,QAAQ;YACR,QAAQ,EAAE,WAAW;YACrB,OAAO,EAAE,sBAAsB,EAAE,CAAC,IAAI,8CAA8C;YACpF,WAAW,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC;YACpC,WAAW,EAAE,iBAAiB,CAAC,aAAa,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,CAAC;YACzD,UAAU;YACV,UAAU,EAAE,+GAA+G;YAC3H,UAAU,EAAE;gBACV,OAAO,EACL,EAAE,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC;oBACtB,CAAC,CAAC,wDAAwD,EAAE,CAAC,IAAI,IAAI;oBACrE,CAAC,CAAC,2CAA2C,EAAE,CAAC,IAAI,IAAI;gBAC5D,KAAK,EAAE;oBACL;wBACE,IAAI,EAAE,QAAQ;wBACd,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,EAAE,CAAC,IAAI,CAAC;wBACjC,KAAK,EAAE,UAAU,EAAE,CAAC,IAAI,EAAE;wBAC1B,MAAM,EAAE,oBAAoB,EAAE,CAAC,IAAI,8DAA8D;qBAClG;iBACF;aACF;YACD,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAClD,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,2EAA2E;AAC3E,2DAA2D;AAE3D,MAAM,UAAU,kBAAkB,CAAC,SAAoB,EAAE,QAAgB;IACvE,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,KAAK,MAAM,CAAC,EAAE,EAAE,CAAC,IAAI,SAAS,CAAC,SAAS,EAAE,CAAC;QACzC,IAAI,EAAE,CAAC,QAAQ,KAAK,QAAQ;YAAE,SAAS;QAEvC,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,KAAK,EAAE,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAE9C,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;YAC1D,MAAM,MAAM,GAAG,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YAClD,IAAI,CAAC,MAAM,EAAE,OAAO;gBAAE,SAAS;YAE/B,oFAAoF;YACpF,IAAI,IAAI,CAAC,UAAU,KAAK,QAAQ;gBAAE,SAAS;YAE3C,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,kBAAkB;gBAC1B,QAAQ,EAAE,OAAO;gBACjB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,gBAAgB,IAAI,CAAC,UAAU,YAAY,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,oCAAoC;gBACxH,WAAW,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC;gBACtC,YAAY,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC;gBAClD,WAAW,EAAE,iBAAiB,CAAC,kBAAkB,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;gBAChE,UAAU,EAAE,GAAG;gBACf,UAAU,EAAE,8EAA8E;gBAC1F,UAAU,EAAE;oBACV,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI,kBAAkB,MAAM,CAAC,IAAI,0CAA0C;oBAC1F,KAAK,EAAE;wBACL;4BACE,IAAI,EAAE,MAAM;4BACZ,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC;4BACnC,KAAK,EAAE,GAAG,EAAE,CAAC,IAAI,QAAQ,IAAI,CAAC,UAAU,IAAI;4BAC5C,MAAM,EAAE,sBAAsB,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,kBAAkB;yBAC1E;wBACD;4BACE,IAAI,EAAE,MAAM;4BACZ,QAAQ,EAAE,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC;4BAC5C,KAAK,EAAE,SAAS,MAAM,CAAC,IAAI,IAAI;4BAC/B,MAAM,EAAE,wCAAwC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,GAAG;yBACpF;qBACF;iBACF;aACF,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/rules/index.d.ts

@@ -31,6 +31,28 @@ export interface RuleInfo {
      * 'experimental' — rule may be noisy; hide-by-default, promote after signal data proves it out.
      */
     precision?: 'high' | 'medium' | 'experimental';
+    /**
+     * Lifecycle controls how aggressively a rule should participate in default
+     * guard/CI runs. Omitted entries are inferred from precision and rolloutPhase.
+     */
+    lifecycle?: 'stable' | 'candidate' | 'experimental';
+    /**
+     * Default CI posture:
+     * - on: participates at declared severity
+     * - guarded: can be softened in high-signal guard runs
+     * - off: emitted as informational unless audit mode is enabled
+     */
+    ciDefault?: 'on' | 'guarded' | 'off';
+    /**
+     * Analysis substrates required for high precision. This is intentionally
+     * declarative so new rules have to state their dependency on graph/type/evidence
+     * rather than hiding it in implementation comments.
+     */
+    requires?: Array<'graph' | 'type-info' | 'concepts' | 'taint' | 'external-tool'>;
+    /** Rule IDs that this rule makes redundant when both fire on the same root cause. */
+    supersedes?: string[];
+    /** True when findings from this rule can safely carry structured autofix actions. */
+    fixable?: boolean;
     /**
      * Wave number in the rollout plan. Used by kern-sight to group new rules
      * visually and by `--list-rules` to surface what just landed. Wave 0 = substrate.

package/dist/rules/index.js

@@ -1071,6 +1071,38 @@ const REGISTRY = [
         severity: 'warning',
         description: 'Network/DB effect without error recovery',
     },
+    {
+        id: 'auth-drift',
+        layer: 'concept',
+        severity: 'warning',
+        description: 'Authenticated backend route called by raw client request without visible auth propagation',
+        precision: 'high',
+        supersedes: ['auth-propagation-drift', 'unhandled-api-error-shape'],
+    },
+    {
+        id: 'contract-drift',
+        layer: 'concept',
+        severity: 'warning',
+        description: 'Client network call has no matching server route contract',
+        precision: 'high',
+        supersedes: ['unhandled-api-error-shape', 'unbounded-collection-query', 'request-validation-drift'],
+    },
+    {
+        id: 'contract-method-drift',
+        layer: 'concept',
+        severity: 'warning',
+        description: 'Client network method does not match the server route method for the same path',
+        precision: 'high',
+        supersedes: ['unhandled-api-error-shape', 'unbounded-collection-query', 'request-validation-drift'],
+    },
+    {
+        id: 'body-shape-drift',
+        layer: 'concept',
+        severity: 'warning',
+        description: 'Client request body fields differ from backend route body usage',
+        precision: 'high',
+        supersedes: ['request-validation-drift'],
+    },
     {
         id: 'unhandled-api-error-shape',
         layer: 'concept',