@kernlang/review 3.5.6-canary.202.1.31706b95 → 3.5.7

package/dist/config-files/env.d.ts

@@ -0,0 +1,45 @@
+/**
+ * `.env` analyzer — duplicate variables, malformed assignments, and a
+ * conservative committed-secret heuristic. Parallel to json.ts and
+ * markdown.ts: a non-ts-morph path that participates in the same
+ * ReviewFinding pipeline so kern-sight and kern-guard consume findings
+ * without API changes. No parser dep — the format is line-oriented and
+ * regex-tractable.
+ *
+ * Format conventions (dotenv-style, conservative subset):
+ *
+ *   • One assignment per line: `KEY=VALUE` or `KEY="quoted value"`.
+ *   • Comments start with `#`. Inline comments (`KEY=val # note`) are
+ *     accepted; the comment is stripped before secret-likeness checks.
+ *   • Blank lines and pure-comment lines are ignored.
+ *   • `export KEY=VALUE` is accepted (bash-style).
+ *   • Continuation across lines is NOT supported. Multi-line values
+ *     inside quotes are NOT supported (rare in real env files; out of
+ *     scope for a hygiene scanner).
+ *
+ * Rules:
+ *
+ *   • `env/duplicate-key` — same KEY assigned more than once in the file.
+ *     The second value wins on `process.env` parse. Fingerprint by key
+ *     name (NOT line) so kern-guard dedup is stable; 3rd+ occurrences
+ *     append `#N`.
+ *   • `env/malformed` — a non-blank, non-comment line that does not
+ *     match the assignment shape. Fingerprint by line content hash so
+ *     formatting fixes upstream don't perturb downstream findings.
+ *   • `env/possible-secret` — KEY matches `SECRET|TOKEN|API_KEY|PASSWORD|
+ *     PRIVATE|ACCESS_KEY` AND value is non-empty AND is not an obvious
+ *     placeholder (`changeme`, `example`, `<…>`, `${…}`, `your_…_here`,
+ *     pure `*` masks, etc.). Warning severity — conservative on purpose;
+ *     this should not fire on placeholders in `.env.example`.
+ *
+ * Files routed here are: `.env`, `.env.local`, `.env.development`,
+ * `.env.production`, `.env.test`, `.env.<anything>`. Files named
+ * `.env.example`, `.env.sample`, `.env.template`, `.env.defaults` are
+ * scanned but the secret-likeness rule is SUPPRESSED — those are by
+ * convention for committed placeholders.
+ */
+import type { ReviewFinding } from '../types.js';
+/** Files this analyzer claims. Routed by basename, not extension: `.env`
+ *  has no extension in the usual sense. */
+export declare function isEnvFile(filePath: string): boolean;
+export declare function reviewEnvFile(source: string, filePath: string): ReviewFinding[];

package/dist/config-files/env.js

@@ -0,0 +1,235 @@
+/**
+ * `.env` analyzer — duplicate variables, malformed assignments, and a
+ * conservative committed-secret heuristic. Parallel to json.ts and
+ * markdown.ts: a non-ts-morph path that participates in the same
+ * ReviewFinding pipeline so kern-sight and kern-guard consume findings
+ * without API changes. No parser dep — the format is line-oriented and
+ * regex-tractable.
+ *
+ * Format conventions (dotenv-style, conservative subset):
+ *
+ *   • One assignment per line: `KEY=VALUE` or `KEY="quoted value"`.
+ *   • Comments start with `#`. Inline comments (`KEY=val # note`) are
+ *     accepted; the comment is stripped before secret-likeness checks.
+ *   • Blank lines and pure-comment lines are ignored.
+ *   • `export KEY=VALUE` is accepted (bash-style).
+ *   • Continuation across lines is NOT supported. Multi-line values
+ *     inside quotes are NOT supported (rare in real env files; out of
+ *     scope for a hygiene scanner).
+ *
+ * Rules:
+ *
+ *   • `env/duplicate-key` — same KEY assigned more than once in the file.
+ *     The second value wins on `process.env` parse. Fingerprint by key
+ *     name (NOT line) so kern-guard dedup is stable; 3rd+ occurrences
+ *     append `#N`.
+ *   • `env/malformed` — a non-blank, non-comment line that does not
+ *     match the assignment shape. Fingerprint by line content hash so
+ *     formatting fixes upstream don't perturb downstream findings.
+ *   • `env/possible-secret` — KEY matches `SECRET|TOKEN|API_KEY|PASSWORD|
+ *     PRIVATE|ACCESS_KEY` AND value is non-empty AND is not an obvious
+ *     placeholder (`changeme`, `example`, `<…>`, `${…}`, `your_…_here`,
+ *     pure `*` masks, etc.). Warning severity — conservative on purpose;
+ *     this should not fire on placeholders in `.env.example`.
+ *
+ * Files routed here are: `.env`, `.env.local`, `.env.development`,
+ * `.env.production`, `.env.test`, `.env.<anything>`. Files named
+ * `.env.example`, `.env.sample`, `.env.template`, `.env.defaults` are
+ * scanned but the secret-likeness rule is SUPPRESSED — those are by
+ * convention for committed placeholders.
+ */
+import { basename } from 'node:path';
+// Matches `KEY=value`, `export KEY=value`, with optional spaces around `=`
+// (dotenv accepts both `KEY=value` and `KEY = value` — discouraged but
+// common). Captures:
+//   [1] = key
+//   [2] = value (everything after `=`, before any trailing comment)
+const ASSIGNMENT_RE = /^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*?)\s*$/;
+// Keys that suggest a secret. Case-insensitive. Conservative set.
+const SECRET_KEY_RE = /(?:^|_)(?:SECRET|TOKEN|API[_]?KEY|PASSWORD|PRIVATE[_]?KEY|ACCESS[_]?KEY|AUTH[_]?KEY|CLIENT[_]?SECRET)(?:$|_)/i;
+// Placeholder shapes — if the value is one of these, do NOT fire the
+// secret-likeness rule. The list is intentionally generous because the
+// cost of a false positive on .env.example is much higher than missing
+// one real secret (kern-guard would post the warning every PR).
+const PLACEHOLDER_PATTERNS = [
+    /^\s*$/,
+    /^(changeme|change-me|change_me|example|sample|placeholder|todo|tbd|xxx+|none|null|undefined|fill[_-]?me[_-]?in)\s*$/i,
+    /^your[_-]?.+[_-]?here$/i, // `your_api_key_here`
+    /^<[^>]+>$/, // `<your-token>`
+    /^\$\{[^}]+\}$/, // `${VAR}`
+    /^\*+$/, // pure asterisk mask
+    /^[*x]+(?:[-_][*x]+)*$/i, // `xxx-xxx-xxx`
+];
+/** Strip surrounding single/double quotes if balanced. */
+function unquote(s) {
+    if (s.length >= 2) {
+        const first = s.charAt(0);
+        const last = s.charAt(s.length - 1);
+        if ((first === '"' && last === '"') || (first === "'" && last === "'")) {
+            return s.slice(1, -1);
+        }
+    }
+    return s;
+}
+/** Produce the "value for secret-likeness check" from a raw post-`=` slice.
+ *  Order matters: a quoted value with a trailing inline comment looks like
+ *  `"changeme" # production`. Stripping the inline comment FIRST without
+ *  quote-awareness would either bail (old behavior — bug) or chop a `#`
+ *  inside the quotes. Walking forward through the string, tracking the
+ *  initial quote char if any, gives the right answer in one pass:
+ *
+ *    1. trim
+ *    2. if starts with `"` or `'`, find the matching closing quote and
+ *       drop everything from the FIRST whitespace+`#` AFTER it
+ *    3. otherwise, drop everything from the first whitespace+`#`
+ *    4. unquote whatever remains
+ *
+ *  Used only for the secret-likeness check; duplicate detection compares
+ *  full raw values to keep error spans precise. */
+function valueForSecretCheck(raw) {
+    const trimmed = raw.trim();
+    if (trimmed === '')
+        return '';
+    let body = trimmed;
+    const first = trimmed.charAt(0);
+    if (first === '"' || first === "'") {
+        // Find the matching unescaped closing quote.
+        let endIdx = -1;
+        for (let i = 1; i < trimmed.length; i++) {
+            const c = trimmed.charAt(i);
+            if (c === '\\') {
+                i++; // skip the escaped char
+                continue;
+            }
+            if (c === first) {
+                endIdx = i;
+                break;
+            }
+        }
+        if (endIdx !== -1) {
+            // Everything past the closing quote, after optional whitespace, may
+            // be an inline `# comment`. Take only the quoted portion (inclusive
+            // of the quotes — `unquote` strips them next).
+            body = trimmed.slice(0, endIdx + 1);
+        }
+        // If no closing quote was found, fall through and let the # stripper
+        // handle the malformed input.
+    }
+    else {
+        // Unquoted value — strip a `# comment` preceded by whitespace.
+        const hashIdx = trimmed.indexOf(' #');
+        if (hashIdx !== -1)
+            body = trimmed.slice(0, hashIdx);
+    }
+    return unquote(body.trim());
+}
+function isPlaceholder(value) {
+    for (const re of PLACEHOLDER_PATTERNS) {
+        if (re.test(value))
+            return true;
+    }
+    return false;
+}
+/** Treat files named `.env.example`, `.env.sample`, `.env.template`,
+ *  `.env.defaults`, `.env.dist` as committed-placeholder files where the
+ *  secret-likeness rule is suppressed. */
+function isPlaceholderFile(filePath) {
+    const base = basename(filePath).toLowerCase();
+    return /^\.env\.(example|sample|template|defaults|dist)$/.test(base);
+}
+/** Files this analyzer claims. Routed by basename, not extension: `.env`
+ *  has no extension in the usual sense. */
+export function isEnvFile(filePath) {
+    const base = basename(filePath);
+    return base === '.env' || base.startsWith('.env.');
+}
+/** Fast non-cryptographic hash for malformed-line fingerprints. djb2. */
+function hashShort(s) {
+    let h = 5381;
+    for (let i = 0; i < s.length; i++) {
+        h = ((h << 5) + h + s.charCodeAt(i)) | 0;
+    }
+    return (h >>> 0).toString(36);
+}
+function makeSpan(filePath, line, startCol, endCol) {
+    return { file: filePath, startLine: line, startCol, endLine: line, endCol };
+}
+export function reviewEnvFile(source, filePath) {
+    const findings = [];
+    const suppressSecretRule = isPlaceholderFile(filePath);
+    // Track first-occurrence + dup count per key for fingerprint stability.
+    const seen = new Map();
+    const lines = source.split(/\r?\n/);
+    for (let i = 0; i < lines.length; i++) {
+        const raw = lines[i];
+        const trimmed = raw.trim();
+        if (trimmed === '')
+            continue;
+        if (trimmed.startsWith('#'))
+            continue;
+        const m = raw.match(ASSIGNMENT_RE);
+        if (!m) {
+            // Malformed line — non-blank, non-comment, not parseable.
+            const ruleId = 'env/malformed';
+            findings.push({
+                source: 'kern',
+                ruleId,
+                severity: 'warning',
+                category: 'style',
+                message: 'Line does not look like a `KEY=VALUE` assignment. dotenv parsers may skip or misread this line.',
+                primarySpan: makeSpan(filePath, i + 1, 1, raw.length + 1),
+                confidence: 85,
+                // Fingerprint by content shape — same broken line on a different
+                // line number stays the same finding. Different broken lines get
+                // distinct fingerprints.
+                fingerprint: `${ruleId}:${hashShort(trimmed)}`,
+            });
+            continue;
+        }
+        const key = m[1];
+        const rawValue = m[2] ?? '';
+        // ── Duplicate key ──────────────────────────────────────────────────
+        const prior = seen.get(key);
+        if (prior) {
+            prior.dupCount += 1;
+            const ruleId = 'env/duplicate-key';
+            const suffix = prior.dupCount === 1 ? '' : `#${prior.dupCount}`;
+            findings.push({
+                source: 'kern',
+                ruleId,
+                severity: 'warning',
+                category: 'bug',
+                message: `Duplicate variable "${key}". The last assignment wins; earlier lines are silently overridden when dotenv loads the file.`,
+                primarySpan: makeSpan(filePath, i + 1, 1, raw.length + 1),
+                relatedSpans: [makeSpan(filePath, prior.firstLine, 1, 1)],
+                confidence: 100,
+                fingerprint: `${ruleId}:${key}${suffix}`,
+            });
+        }
+        else {
+            seen.set(key, { firstLine: i + 1, dupCount: 0 });
+        }
+        // ── Possible committed secret ──────────────────────────────────────
+        if (!suppressSecretRule && SECRET_KEY_RE.test(key)) {
+            const valueUnquoted = valueForSecretCheck(rawValue);
+            if (valueUnquoted.length > 0 && !isPlaceholder(valueUnquoted)) {
+                const ruleId = 'env/possible-secret';
+                findings.push({
+                    source: 'kern',
+                    ruleId,
+                    severity: 'warning',
+                    category: 'bug',
+                    message: `"${key}" looks like a secret with a real-looking value committed. If this is a placeholder, rename the file to \`.env.example\` (or similar) or use \`<placeholder>\` / \`\${VAR}\` syntax.`,
+                    primarySpan: makeSpan(filePath, i + 1, 1, raw.length + 1),
+                    confidence: 70,
+                    // Fingerprint by key only — same key flagged across edits stays
+                    // the same finding. We do NOT include the value (changes are
+                    // exactly the signal we want to NOT suppress).
+                    fingerprint: `${ruleId}:${key}`,
+                });
+            }
+        }
+    }
+    return findings;
+}
+//# sourceMappingURL=env.js.map

package/dist/config-files/env.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"env.js","sourceRoot":"","sources":["../../src/config-files/env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAGrC,2EAA2E;AAC3E,uEAAuE;AACvE,qBAAqB;AACrB,cAAc;AACd,oEAAoE;AACpE,MAAM,aAAa,GAAG,4DAA4D,CAAC;AAEnF,kEAAkE;AAClE,MAAM,aAAa,GACjB,+GAA+G,CAAC;AAElH,qEAAqE;AACrE,uEAAuE;AACvE,uEAAuE;AACvE,gEAAgE;AAChE,MAAM,oBAAoB,GAAG;IAC3B,OAAO;IACP,sHAAsH;IACtH,yBAAyB,EAAE,sBAAsB;IACjD,WAAW,EAAE,iBAAiB;IAC9B,eAAe,EAAE,WAAW;IAC5B,OAAO,EAAE,qBAAqB;IAC9B,wBAAwB,EAAE,gBAAgB;CAC3C,CAAC;AAEF,0DAA0D;AAC1D,SAAS,OAAO,CAAC,CAAS;IACxB,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC1B,MAAM,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QACpC,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;;;;;;;;;mDAcmD;AACnD,SAAS,mBAAmB,CAAC,GAAW;IACtC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,OAAO,KAAK,EAAE;QAAE,OAAO,EAAE,CAAC;IAE9B,IAAI,IAAI,GAAG,OAAO,CAAC;IACnB,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAChC,IAAI,KAAK,KAAK,GAAG,IAAI,KAAK,KAAK,GAAG,EAAE,CAAC;QACnC,6CAA6C;QAC7C,IAAI,MAAM,GAAG,CAAC,CAAC,CAAC;QAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACxC,MAAM,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC5B,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;gBACf,CAAC,EAAE,CAAC,CAAC,wBAAwB;gBAC7B,SAAS;YACX,CAAC;YACD,IAAI,CAAC,KAAK,KAAK,EAAE,CAAC;gBAChB,MAAM,GAAG,CAAC,CAAC;gBACX,MAAM;YACR,CAAC;QACH,CAAC;QACD,IAAI,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;YAClB,oEAAoE;YACpE,oEAAoE;YACpE,+CAA+C;YAC/C,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,GAAG,CAAC,CAAC,CAAC;QACtC,CAAC;QACD,qEAAqE;QACrE,8BAA8B;IAChC,CAAC;SAAM,CAAC;QACN,+DAA+D;QAC/D,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,OAAO,KAAK,CAAC,CAAC;YAAE,IAAI,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;IACvD,CAAC;IAED,OAAO,OAAO,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;AAC9B,CAAC;AAED,SAAS,aAAa,CAAC,KAAa;IAClC,KAAK,MAAM,EAAE,IAAI,oBAAoB,EAAE,CAAC;QACtC,IAAI,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;0CAE0C;AAC1C,SAAS,iBAAiB,CAAC,QAAgB;IACzC,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9C,OAAO,kDAAkD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvE,CAAC;AAED;2CAC2C;AAC3C,MAAM,UAAU,SAAS,CAAC,QAAgB;IACxC,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChC,OAAO,IAAI,KAAK,MAAM,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;AACrD,CAAC;AAED,yEAAyE;AACzE,SAAS,SAAS,CAAC,CAAS;IAC1B,IAAI,CAAC,GAAG,IAAI,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,QAAQ,CAAC,QAAgB,EAAE,IAAY,EAAE,QAAgB,EAAE,MAAc;IAChF,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;AAC9E,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,QAAgB;IAC5D,MAAM,QAAQ,GAAoB,EAAE,CAAC;IACrC,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAEvD,wEAAwE;IACxE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAmD,CAAC;IAExE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACpC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAE,CAAC;QACtB,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;QAC3B,IAAI,OAAO,KAAK,EAAE;YAAE,SAAS;QAC7B,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAEtC,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;QACnC,IAAI,CAAC,CAAC,EAAE,CAAC;YACP,0DAA0D;YAC1D,MAAM,MAAM,GAAG,eAAe,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,MAAM;gBACN,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,OAAO;gBACjB,OAAO,EAAE,iGAAiG;gBAC1G,WAAW,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;gBACzD,UAAU,EAAE,EAAE;gBACd,iEAAiE;gBACjE,iEAAiE;gBACjE,yBAAyB;gBACzB,WAAW,EAAE,GAAG,MAAM,IAAI,SAAS,CAAC,OAAO,CAAC,EAAE;aAC/C,CAAC,CAAC;YACH,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;QAClB,MAAM,QAAQ,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QAE5B,sEAAsE;QACtE,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,KAAK,EAAE,CAAC;YACV,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;YACpB,MAAM,MAAM,GAAG,mBAAmB,CAAC;YACnC,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;YAChE,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,MAAM;gBACd,MAAM;gBACN,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,KAAK;gBACf,OAAO,EAAE,uBAAuB,GAAG,gGAAgG;gBACnI,WAAW,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;gBACzD,YAAY,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;gBACzD,UAAU,EAAE,GAAG;gBACf,WAAW,EAAE,GAAG,MAAM,IAAI,GAAG,GAAG,MAAM,EAAE;aACzC,CAAC,CAAC;QACL,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,CAAC,GAAG,CAAC,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;QACnD,CAAC;QAED,sEAAsE;QACtE,IAAI,CAAC,kBAAkB,IAAI,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YACnD,MAAM,aAAa,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;YACpD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,aAAa,CAAC,EAAE,CAAC;gBAC9D,MAAM,MAAM,GAAG,qBAAqB,CAAC;gBACrC,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,MAAM;oBACd,MAAM;oBACN,QAAQ,EAAE,SAAS;oBACnB,QAAQ,EAAE,KAAK;oBACf,OAAO,EAAE,IAAI,GAAG,sLAAsL;oBACtM,WAAW,EAAE,QAAQ,CAAC,QAAQ,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;oBACzD,UAAU,EAAE,EAAE;oBACd,gEAAgE;oBAChE,6DAA6D;oBAC7D,+CAA+C;oBAC/C,WAAW,EAAE,GAAG,MAAM,IAAI,GAAG,EAAE;iBAChC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/config-files/json.d.ts

@@ -0,0 +1,20 @@
+/**
+ * JSON / JSONC analyzer — emits ReviewFindings for parse errors, duplicate
+ * keys, and trailing commas in strict JSON. Parallel to python-fallback.ts:
+ * a non-ts-morph analysis path that participates in the same finding pipeline
+ * so kern-sight (editor diagnostics) and kern-guard (PR Check annotations)
+ * both consume it without changes.
+ *
+ * Dialect detection:
+ *   .jsonc                  → JSONC (comments + trailing commas allowed)
+ *   tsconfig.json / jsconfig.json / .vscode/*.json → JSONC (de facto)
+ *   everything else .json   → strict JSON
+ *
+ * Fingerprint policy: NOT line-based. Parse errors fingerprint by error code
+ * + dialect; duplicate keys fingerprint by key-path. Line numbers shift under
+ * unrelated edits — line-based fingerprints would make kern-guard re-post
+ * the same finding as "new" on every PR that touched whitespace above it.
+ */
+import type { ReviewFinding } from '../types.js';
+/** Entry point for the engine dispatcher. */
+export declare function reviewJsonFile(source: string, filePath: string): ReviewFinding[];

package/dist/config-files/json.js

@@ -0,0 +1,220 @@
+/**
+ * JSON / JSONC analyzer — emits ReviewFindings for parse errors, duplicate
+ * keys, and trailing commas in strict JSON. Parallel to python-fallback.ts:
+ * a non-ts-morph analysis path that participates in the same finding pipeline
+ * so kern-sight (editor diagnostics) and kern-guard (PR Check annotations)
+ * both consume it without changes.
+ *
+ * Dialect detection:
+ *   .jsonc                  → JSONC (comments + trailing commas allowed)
+ *   tsconfig.json / jsconfig.json / .vscode/*.json → JSONC (de facto)
+ *   everything else .json   → strict JSON
+ *
+ * Fingerprint policy: NOT line-based. Parse errors fingerprint by error code
+ * + dialect; duplicate keys fingerprint by key-path. Line numbers shift under
+ * unrelated edits — line-based fingerprints would make kern-guard re-post
+ * the same finding as "new" on every PR that touched whitespace above it.
+ */
+import { basename } from 'node:path';
+import { parseTree } from 'jsonc-parser';
+function dialectForPath(filePath) {
+    if (filePath.endsWith('.jsonc'))
+        return 'jsonc';
+    // Files inside a `.vscode/` directory (settings.json, launch.json,
+    // tasks.json, extensions.json, …) accept JSONC per VS Code convention.
+    // Normalize separators so the check works on Windows paths too.
+    const normalized = filePath.replace(/\\/g, '/');
+    if (normalized.includes('/.vscode/'))
+        return 'jsonc';
+    // tsconfig + jsconfig allow comments per TS spec — matches `tsconfig.json`,
+    // `tsconfig.base.json`, etc. (startsWith already covers `tsconfig.json`.)
+    const base = basename(filePath).toLowerCase();
+    if (base.startsWith('tsconfig.') || base.startsWith('jsconfig.'))
+        return 'jsonc';
+    return 'json';
+}
+// jsonc-parser ParseErrorCode is a `const enum` — values are inlined at
+// compile time and there is no runtime reverse-lookup table. Mirror the
+// numeric enum to a stable kebab-case slug here. If jsonc-parser ever
+// renumbers (it has been stable since 1.x) the analyzer will degrade to
+// `unknown-<n>` rather than crash.
+const ERROR_CODE_SLUGS = {
+    1: 'invalid-symbol',
+    2: 'invalid-number-format',
+    3: 'property-name-expected',
+    4: 'value-expected',
+    5: 'colon-expected',
+    6: 'comma-expected',
+    7: 'close-brace-expected',
+    8: 'close-bracket-expected',
+    9: 'end-of-file-expected',
+    10: 'invalid-comment-token',
+    11: 'unexpected-end-of-comment',
+    12: 'unexpected-end-of-string',
+    13: 'unexpected-end-of-number',
+    14: 'invalid-unicode',
+    15: 'invalid-escape-character',
+    16: 'invalid-character',
+};
+function errorCodeSlug(code) {
+    return ERROR_CODE_SLUGS[code] ?? `unknown-${code}`;
+}
+function humanize(err, dialect) {
+    const slug = errorCodeSlug(err.error);
+    if (slug === 'invalid-comment-token' && dialect === 'json') {
+        return 'Comments are not allowed in strict JSON. Rename to .jsonc or remove the comment.';
+    }
+    if (slug === 'value-expected')
+        return 'Expected a JSON value (string, number, object, array, boolean, or null).';
+    if (slug === 'colon-expected')
+        return "Expected ':' between property name and value.";
+    if (slug === 'comma-expected')
+        return "Expected ',' between elements.";
+    if (slug === 'close-brace-expected')
+        return "Expected '}' to close object.";
+    if (slug === 'close-bracket-expected')
+        return "Expected ']' to close array.";
+    if (slug === 'invalid-character')
+        return 'Invalid character in JSON.';
+    if (slug === 'invalid-escape-character')
+        return 'Invalid escape sequence in string.';
+    if (slug === 'invalid-unicode')
+        return 'Invalid Unicode escape sequence.';
+    if (slug === 'invalid-number-format')
+        return 'Invalid number format.';
+    if (slug === 'property-name-expected')
+        return 'Expected a property name (a quoted string).';
+    if (slug === 'end-of-file-expected')
+        return 'Trailing content after end of JSON value.';
+    if (slug === 'unexpected-end-of-comment')
+        return 'Unclosed comment — reached end of file before `*/`.';
+    if (slug === 'unexpected-end-of-string')
+        return 'Unclosed string — reached end of file before closing quote.';
+    if (slug === 'unexpected-end-of-number')
+        return 'Unterminated number literal.';
+    if (slug === 'invalid-symbol')
+        return 'Unexpected token in JSON.';
+    return `JSON parse error: ${slug}.`;
+}
+/** Convert a character offset into the source to a 1-based (line, col) pair. */
+function offsetToLineCol(source, offset) {
+    const clamped = Math.max(0, Math.min(offset, source.length));
+    let line = 1;
+    let lineStart = 0;
+    for (let i = 0; i < clamped; i++) {
+        if (source.charCodeAt(i) === 0x0a /* \n */) {
+            line++;
+            lineStart = i + 1;
+        }
+    }
+    return { line, col: clamped - lineStart + 1 };
+}
+function spanAt(source, filePath, offset, length) {
+    const start = offsetToLineCol(source, offset);
+    const end = offsetToLineCol(source, offset + Math.max(1, length));
+    return { file: filePath, startLine: start.line, startCol: start.col, endLine: end.line, endCol: end.col };
+}
+/**
+ * Walk the AST collecting duplicate property names within the same object.
+ * Builds a structural key-path (e.g. `compilerOptions.paths`) so the
+ * fingerprint stays stable across unrelated formatting changes.
+ */
+function detectDuplicateKeys(tree, source, filePath) {
+    const out = [];
+    function visit(node, path) {
+        if (node.type === 'object' && node.children) {
+            // Track first-occurrence node AND how many duplicates we've already
+            // emitted for that key. The count lets us disambiguate fingerprints
+            // when the same key appears 3+ times in one object — without a
+            // counter, dedup in kern-guard would collapse all but one into the
+            // baseline and a later edit could silently drop a real finding.
+            const seen = new Map();
+            for (const prop of node.children) {
+                // jsonc-parser 'property' node: children[0] = key, children[1] = value
+                if (prop.type !== 'property' || !prop.children || prop.children.length < 1)
+                    continue;
+                const keyNode = prop.children[0];
+                if (!keyNode || keyNode.type !== 'string' || typeof keyNode.value !== 'string')
+                    continue;
+                const key = keyNode.value;
+                const childPath = path ? `${path}.${key}` : key;
+                const entry = seen.get(key);
+                if (entry) {
+                    entry.dupCount += 1;
+                    const ruleId = 'json/duplicate-key';
+                    // Second duplicate keeps the path-only fingerprint (most common
+                    // case, stable across formatting). Third+ append `#N` so each
+                    // additional occurrence is independently dedup-able.
+                    const suffix = entry.dupCount === 1 ? '' : `#${entry.dupCount}`;
+                    out.push({
+                        source: 'kern',
+                        ruleId,
+                        severity: 'error',
+                        category: 'bug',
+                        message: `Duplicate property "${key}" in object. The second value silently overrides the first in JSON.parse.`,
+                        primarySpan: spanAt(source, filePath, keyNode.offset, keyNode.length),
+                        relatedSpans: [spanAt(source, filePath, entry.firstNode.offset, entry.firstNode.length)],
+                        confidence: 100,
+                        fingerprint: `${ruleId}:${childPath}${suffix}`,
+                    });
+                }
+                else {
+                    seen.set(key, { firstNode: keyNode, dupCount: 0 });
+                }
+                const valueNode = prop.children[1];
+                if (valueNode)
+                    visit(valueNode, childPath);
+            }
+        }
+        else if (node.type === 'array' && node.children) {
+            for (let i = 0; i < node.children.length; i++) {
+                const child = node.children[i];
+                if (child)
+                    visit(child, `${path}[${i}]`);
+            }
+        }
+    }
+    visit(tree, '');
+    return out;
+}
+/** Entry point for the engine dispatcher. */
+export function reviewJsonFile(source, filePath) {
+    const dialect = dialectForPath(filePath);
+    const errors = [];
+    const tree = parseTree(source, errors, {
+        disallowComments: dialect === 'json',
+        allowTrailingComma: dialect === 'jsonc',
+    });
+    const findings = [];
+    // Track per-(ruleId) occurrence count so multiple parse errors of the
+    // same kind (e.g. two separate `invalid-comment-token` in a strict JSON)
+    // produce distinct fingerprints. Without this, kern-guard's baseline
+    // dedup collapses N independent errors into one and silently hides the
+    // others on the next PR.
+    const perRuleCount = new Map();
+    for (const err of errors) {
+        const slug = errorCodeSlug(err.error);
+        const ruleId = `json/parse/${slug}`;
+        const idx = perRuleCount.get(ruleId) ?? 0;
+        perRuleCount.set(ruleId, idx + 1);
+        // First occurrence keeps the cleanest fingerprint (most common case
+        // is exactly one parse error per file); 2nd+ append `#N` so they are
+        // independently dedup-able. Still line-independent.
+        const suffix = idx === 0 ? '' : `#${idx}`;
+        findings.push({
+            source: 'kern',
+            ruleId,
+            severity: 'error',
+            category: 'bug',
+            message: humanize(err, dialect),
+            primarySpan: spanAt(source, filePath, err.offset, err.length),
+            confidence: 100,
+            fingerprint: `${ruleId}:${dialect}${suffix}`,
+        });
+    }
+    if (tree) {
+        findings.push(...detectDuplicateKeys(tree, source, filePath));
+    }
+    return findings;
+}
+//# sourceMappingURL=json.js.map

package/dist/config-files/json.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"json.js","sourceRoot":"","sources":["../../src/config-files/json.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,EAA8B,SAAS,EAAE,MAAM,cAAc,CAAC;AAKrE,SAAS,cAAc,CAAC,QAAgB;IACtC,IAAI,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,OAAO,CAAC;IAChD,mEAAmE;IACnE,uEAAuE;IACvE,gEAAgE;IAChE,MAAM,UAAU,GAAG,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAChD,IAAI,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,OAAO,CAAC;IACrD,4EAA4E;IAC5E,0EAA0E;IAC1E,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC9C,IAAI,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,OAAO,CAAC;IACjF,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,wEAAwE;AACxE,wEAAwE;AACxE,sEAAsE;AACtE,wEAAwE;AACxE,mCAAmC;AACnC,MAAM,gBAAgB,GAA2B;IAC/C,CAAC,EAAE,gBAAgB;IACnB,CAAC,EAAE,uBAAuB;IAC1B,CAAC,EAAE,wBAAwB;IAC3B,CAAC,EAAE,gBAAgB;IACnB,CAAC,EAAE,gBAAgB;IACnB,CAAC,EAAE,gBAAgB;IACnB,CAAC,EAAE,sBAAsB;IACzB,CAAC,EAAE,wBAAwB;IAC3B,CAAC,EAAE,sBAAsB;IACzB,EAAE,EAAE,uBAAuB;IAC3B,EAAE,EAAE,2BAA2B;IAC/B,EAAE,EAAE,0BAA0B;IAC9B,EAAE,EAAE,0BAA0B;IAC9B,EAAE,EAAE,iBAAiB;IACrB,EAAE,EAAE,0BAA0B;IAC9B,EAAE,EAAE,mBAAmB;CACxB,CAAC;AAEF,SAAS,aAAa,CAAC,IAAY;IACjC,OAAO,gBAAgB,CAAC,IAAI,CAAC,IAAI,WAAW,IAAI,EAAE,CAAC;AACrD,CAAC;AAED,SAAS,QAAQ,CAAC,GAAe,EAAE,OAAoB;IACrD,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACtC,IAAI,IAAI,KAAK,uBAAuB,IAAI,OAAO,KAAK,MAAM,EAAE,CAAC;QAC3D,OAAO,kFAAkF,CAAC;IAC5F,CAAC;IACD,IAAI,IAAI,KAAK,gBAAgB;QAAE,OAAO,0EAA0E,CAAC;IACjH,IAAI,IAAI,KAAK,gBAAgB;QAAE,OAAO,+CAA+C,CAAC;IACtF,IAAI,IAAI,KAAK,gBAAgB;QAAE,OAAO,gCAAgC,CAAC;IACvE,IAAI,IAAI,KAAK,sBAAsB;QAAE,OAAO,+BAA+B,CAAC;IAC5E,IAAI,IAAI,KAAK,wBAAwB;QAAE,OAAO,8BAA8B,CAAC;IAC7E,IAAI,IAAI,KAAK,mBAAmB;QAAE,OAAO,4BAA4B,CAAC;IACtE,IAAI,IAAI,KAAK,0BAA0B;QAAE,OAAO,oCAAoC,CAAC;IACrF,IAAI,IAAI,KAAK,iBAAiB;QAAE,OAAO,kCAAkC,CAAC;IAC1E,IAAI,IAAI,KAAK,uBAAuB;QAAE,OAAO,wBAAwB,CAAC;IACtE,IAAI,IAAI,KAAK,wBAAwB;QAAE,OAAO,6CAA6C,CAAC;IAC5F,IAAI,IAAI,KAAK,sBAAsB;QAAE,OAAO,2CAA2C,CAAC;IACxF,IAAI,IAAI,KAAK,2BAA2B;QAAE,OAAO,qDAAqD,CAAC;IACvG,IAAI,IAAI,KAAK,0BAA0B;QAAE,OAAO,6DAA6D,CAAC;IAC9G,IAAI,IAAI,KAAK,0BAA0B;QAAE,OAAO,8BAA8B,CAAC;IAC/E,IAAI,IAAI,KAAK,gBAAgB;QAAE,OAAO,2BAA2B,CAAC;IAClE,OAAO,qBAAqB,IAAI,GAAG,CAAC;AACtC,CAAC;AAED,gFAAgF;AAChF,SAAS,eAAe,CAAC,MAAc,EAAE,MAAc;IACrD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7D,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,EAAE,CAAC,EAAE,EAAE,CAAC;QACjC,IAAI,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC3C,IAAI,EAAE,CAAC;YACP,SAAS,GAAG,CAAC,GAAG,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,GAAG,EAAE,OAAO,GAAG,SAAS,GAAG,CAAC,EAAE,CAAC;AAChD,CAAC;AAED,SAAS,MAAM,CAAC,MAAc,EAAE,QAAgB,EAAE,MAAc,EAAE,MAAc;IAC9E,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IAClE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,IAAI,EAAE,QAAQ,EAAE,KAAK,CAAC,GAAG,EAAE,OAAO,EAAE,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC;AAC5G,CAAC;AAED;;;;GAIG;AACH,SAAS,mBAAmB,CAAC,IAAU,EAAE,MAAc,EAAE,QAAgB;IACvE,MAAM,GAAG,GAAoB,EAAE,CAAC;IAEhC,SAAS,KAAK,CAAC,IAAU,EAAE,IAAY;QACrC,IAAI,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAC5C,oEAAoE;YACpE,oEAAoE;YACpE,+DAA+D;YAC/D,mEAAmE;YACnE,gEAAgE;YAChE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAiD,CAAC;YACtE,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACjC,uEAAuE;gBACvE,IAAI,IAAI,CAAC,IAAI,KAAK,UAAU,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC;oBAAE,SAAS;gBACrF,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;gBACjC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ;oBAAE,SAAS;gBACzF,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC;gBAC1B,MAAM,SAAS,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;gBAEhD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAC5B,IAAI,KAAK,EAAE,CAAC;oBACV,KAAK,CAAC,QAAQ,IAAI,CAAC,CAAC;oBACpB,MAAM,MAAM,GAAG,oBAAoB,CAAC;oBACpC,gEAAgE;oBAChE,8DAA8D;oBAC9D,qDAAqD;oBACrD,MAAM,MAAM,GAAG,KAAK,CAAC,QAAQ,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,QAAQ,EAAE,CAAC;oBAChE,GAAG,CAAC,IAAI,CAAC;wBACP,MAAM,EAAE,MAAM;wBACd,MAAM;wBACN,QAAQ,EAAE,OAAO;wBACjB,QAAQ,EAAE,KAAK;wBACf,OAAO,EAAE,uBAAuB,GAAG,2EAA2E;wBAC9G,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,CAAC;wBACrE,YAAY,EAAE,CAAC,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;wBACxF,UAAU,EAAE,GAAG;wBACf,WAAW,EAAE,GAAG,MAAM,IAAI,SAAS,GAAG,MAAM,EAAE;qBAC/C,CAAC,CAAC;gBACL,CAAC;qBAAM,CAAC;oBACN,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;gBACrD,CAAC;gBAED,MAAM,SAAS,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;gBACnC,IAAI,SAAS;oBAAE,KAAK,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;YAC7C,CAAC;QACH,CAAC;aAAM,IAAI,IAAI,CAAC,IAAI,KAAK,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;gBAC/B,IAAI,KAAK;oBAAE,KAAK,CAAC,KAAK,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC;YAC3C,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAChB,OAAO,GAAG,CAAC;AACb,CAAC;AAED,6CAA6C;AAC7C,MAAM,UAAU,cAAc,CAAC,MAAc,EAAE,QAAgB;IAC7D,MAAM,OAAO,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,MAAM,IAAI,GAAG,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE;QACrC,gBAAgB,EAAE,OAAO,KAAK,MAAM;QACpC,kBAAkB,EAAE,OAAO,KAAK,OAAO;KACxC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAoB,EAAE,CAAC;IAErC,sEAAsE;IACtE,yEAAyE;IACzE,qEAAqE;IACrE,uEAAuE;IACvE,yBAAyB;IACzB,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC/C,KAAK,MAAM,GAAG,IAAI,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,aAAa,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,cAAc,IAAI,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,YAAY,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QAC1C,YAAY,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,GAAG,CAAC,CAAC,CAAC;QAClC,oEAAoE;QACpE,qEAAqE;QACrE,oDAAoD;QACpD,MAAM,MAAM,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,GAAG,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC;YACZ,MAAM,EAAE,MAAM;YACd,MAAM;YACN,QAAQ,EAAE,OAAO;YACjB,QAAQ,EAAE,KAAK;YACf,OAAO,EAAE,QAAQ,CAAC,GAAG,EAAE,OAAO,CAAC;YAC/B,WAAW,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,MAAM,CAAC;YAC7D,UAAU,EAAE,GAAG;YACf,WAAW,EAAE,GAAG,MAAM,IAAI,OAAO,GAAG,MAAM,EAAE;SAC7C,CAAC,CAAC;IACL,CAAC;IAED,IAAI,IAAI,EAAE,CAAC;QACT,QAAQ,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,CAAC;IAChE,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/config-files/markdown.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Markdown analyzer + outline extractor — self-contained line scanner.
+ *
+ * Replaces the previous `mdast-util-from-markdown` dependency (which pulled
+ * ~30 transitive `micromark-*` packages) with a focused state machine. The
+ * tradeoff is deliberate: this is NOT a CommonMark parser. It is a config /
+ * docs hygiene scanner that covers exactly what kern-sight and kern-guard
+ * need today —
+ *
+ *   • ATX headings (`#` through `######`) outside fenced code
+ *   • Image syntax `![alt](url)` on a non-code line
+ *   • Fenced-code awareness (backtick and tilde fences, length-matched)
+ *   • Outline tree built from heading levels + slugs
+ *
+ * What we deliberately do NOT handle, because feature surface stays small:
+ *
+ *   • Setext headings (`===` / `---` underlines) — uncommon in this codebase
+ *   • Inline HTML headings (`<h1>…</h1>`)
+ *   • Reference-style images (`![alt][label]` + `[label]: url`)
+ *   • Indented (4-space) code blocks
+ *   • Tab handling beyond the obvious cases
+ *   • Inline code spans (`` `![](url)` ``) — image syntax inside backtick
+ *     spans on an otherwise non-fenced line can trip the image-alt rule.
+ *     False positives here surface as `md/image-missing-alt` on the URL
+ *     inside the span. Acceptable for a hygiene scanner; if it becomes
+ *     a real noise source, suppress with `kern-ignore` directives.
+ *
+ * If a doc uses those forms, findings on it are best-effort. The point is
+ * predictable diagnostics for the common 95% case, not full CommonMark
+ * fidelity, and to keep `@kernlang/review` trending toward zero dependencies.
+ *
+ * Two outputs from a single pass:
+ *
+ *   1. ReviewFinding[] — structural issues (skipped heading levels, missing
+ *      image alt text). Flow through the engine's standard pipeline so both
+ *      kern-sight (editor diagnostics) and kern-guard (Check annotations)
+ *      consume them without API changes.
+ *
+ *   2. MarkdownOutline — heading tree shaped for kern-sight's Current File
+ *      webview. Exported separately because kern-guard has no use for it
+ *      (only findings get posted to GitHub); keeping it off the engine's
+ *      ReviewReport keeps the worker-side surface minimal.
+ *
+ * Fingerprint policy: structural keys (heading path, image alt-text URL),
+ * NEVER line numbers, so kern-guard's baseline dedup does not re-post on
+ * whitespace edits.
+ */
+import type { ReviewFinding } from '../types.js';
+/** A single heading in the outline tree, with nesting. */
+export interface MarkdownOutlineHeading {
+    level: 1 | 2 | 3 | 4 | 5 | 6;
+    text: string;
+    /** GitHub-style slug (lowercase, hyphenated, alphanumerics + hyphens). */
+    slug: string;
+    /** 1-based start line of the heading marker. */
+    line: number;
+    children: MarkdownOutlineHeading[];
+}
+export interface MarkdownOutline {
+    /** Flat list of headings in source order. */
+    flat: MarkdownOutlineHeading[];
+    /** Nested heading tree (each heading owns the higher-level headings under it). */
+    tree: MarkdownOutlineHeading[];
+}
+/** Entry point for the engine dispatcher — findings only. */
+export declare function reviewMarkdownFile(source: string, filePath: string): ReviewFinding[];
+/** Public outline extractor — kern-sight only. */
+export declare function extractMarkdownOutline(source: string): MarkdownOutline;