@kevinrabun/judges-cli 3.124.5 → 3.126.0

package/dist/evaluators/index.js

@@ -6,6 +6,7 @@ import { analyzeStructure } from "../ast/index.js";
 import { analyzeTaintFlows } from "../ast/index.js";
 import { LRUCache, contentHash } from "../cache.js";
 import { getSharedDiskCache } from "../disk-cache.js";
+import { filterByRegulatoryScope } from "../regulatory-scope.js";
 // ─── Shared Utilities ────────────────────────────────────────────────────────
 import { calculateScore, deriveVerdict, buildSummary, buildTribunalSummary, formatVerdictAsMarkdown, formatEvaluationAsMarkdown, classifyFile, shouldRunAbsenceRules, applyConfig, applyFrameworkAwareness, } from "./shared.js";
 // ─── Extracted Modules ───────────────────────────────────────────────────────
@@ -414,6 +415,137 @@ function synthesizeReviewDecision(findings) {
         blockingIssues,
     };
 }
+// ─── Human Focus Guide ────────────────────────────────────────────────────────
+/**
+ * Synthesize a Human Focus Guide from tribunal findings.
+ *
+ * Categorizes findings into three buckets:
+ * - **Trust**: High-confidence, evidence-backed findings (confidence ≥ 0.8)
+ * - **Verify**: Lower-confidence or absence-based findings (confidence < 0.8 or absence-based)
+ * - **Blind spots**: Areas automated analysis cannot evaluate (business logic, architecture, UX judgment)
+ *
+ * Also detects code characteristics that suggest human attention is needed.
+ */
+function synthesizeHumanFocusGuide(findings, code, language) {
+    const trust = [];
+    const verify = [];
+    for (const f of findings) {
+        const conf = f.confidence ?? 0.7;
+        const item = {
+            ruleId: f.ruleId,
+            title: f.title,
+            severity: f.severity,
+            confidence: conf,
+            lineNumbers: f.lineNumbers,
+            reason: "",
+        };
+        if (f.isAbsenceBased) {
+            item.reason = "Absence-based — the detected issue may be handled in another file";
+            verify.push(item);
+        }
+        else if (conf >= 0.8 && (f.provenance === "ast-confirmed" || f.provenance === "taint-flow")) {
+            item.reason = "AST/taint-flow confirmed with high confidence";
+            trust.push(item);
+        }
+        else if (conf >= 0.8) {
+            item.reason = "High confidence with concrete evidence";
+            trust.push(item);
+        }
+        else if (conf >= 0.5) {
+            item.reason = `Moderate confidence (${Math.round(conf * 100)}%) — verify manually`;
+            verify.push(item);
+        }
+        else {
+            item.reason = `Low confidence (${Math.round(conf * 100)}%) — may be a false positive`;
+            verify.push(item);
+        }
+    }
+    // ── Blind spots: areas automated analysis cannot evaluate ──
+    const blindSpots = [];
+    // Always include core blind spots
+    blindSpots.push({
+        area: "Business Logic Correctness",
+        guidance: "Verify that the code implements the intended requirements correctly. Automated analysis checks for patterns and vulnerabilities but cannot validate business rules, domain constraints, or functional correctness.",
+    });
+    // Code-characteristic-based blind spots
+    if (code) {
+        const lines = code.split("\n");
+        const lineCount = lines.length;
+        // Complex branching
+        const branchCount = (code.match(/\bif\b|\belse\b|\bswitch\b|\bcase\b|\?\s*:/g) || []).length;
+        if (branchCount > lineCount * 0.15 && branchCount > 10) {
+            blindSpots.push({
+                area: "Complex Control Flow",
+                guidance: `This code has dense branching logic (~${branchCount} branch points). Review edge cases, boundary conditions, and off-by-one errors that pattern matching cannot reliably detect.`,
+            });
+        }
+        // External API/service calls
+        const hasExternalCalls = /fetch\(|axios\.|http\.|https\.|\.request\(|urllib|requests\.|HttpClient|WebClient/i.test(code);
+        if (hasExternalCalls) {
+            blindSpots.push({
+                area: "External Service Integration",
+                guidance: "This code calls external services. Verify timeout behavior, retry logic, circuit breaking, and graceful degradation when services are unavailable. Automated analysis can detect missing patterns but cannot validate the integration logic.",
+            });
+        }
+        // Financial/monetary operations
+        const hasFinancial = /price|amount|balance|payment|invoice|refund|discount|tax|currency|decimal|money/i.test(code);
+        if (hasFinancial) {
+            blindSpots.push({
+                area: "Financial/Monetary Calculations",
+                guidance: "This code handles monetary values. Verify rounding behavior, currency precision, and that floating-point arithmetic is not used for financial calculations.",
+            });
+        }
+        // Complex regex
+        const complexRegex = (code.match(/\/[^/\n]{30,}\//g) || []).length;
+        if (complexRegex > 0) {
+            blindSpots.push({
+                area: "Complex Regular Expressions",
+                guidance: `Found ${complexRegex} complex regex pattern(s). Verify they match the intended inputs and don't have catastrophic backtracking on adversarial input.`,
+            });
+        }
+        // State machines / workflow
+        const hasStateMachine = /state\s*[=:]\s*['"][^'"]+['"]|status\s*===?\s*['"]|transition|workflow|step.*next/i.test(code);
+        if (hasStateMachine) {
+            blindSpots.push({
+                area: "State Management / Workflow Logic",
+                guidance: "This code manages state transitions or workflow steps. Verify that all valid state transitions are handled and invalid transitions are rejected. Automated analysis cannot validate state machine correctness.",
+            });
+        }
+        // PII/sensitive data handling
+        const hasPII = /\b(email|ssn|social.security|phone.number|address|birth.date|passport|national.id|credit.card)\b/i.test(code);
+        if (hasPII) {
+            blindSpots.push({
+                area: "PII / Sensitive Data Handling",
+                guidance: "This code handles personally identifiable information. Verify data minimization, consent tracking, retention policies, and that PII is not logged or transmitted unnecessarily.",
+            });
+        }
+    }
+    // Architecture blind spot (always relevant for non-trivial code)
+    if (code && code.split("\n").length > 50) {
+        blindSpots.push({
+            area: "Architectural Fit",
+            guidance: "Verify this code fits the project's architectural patterns (service boundaries, dependency direction, naming conventions). Automated analysis evaluates code in isolation and cannot assess architectural context.",
+        });
+    }
+    // ── Build summary ──
+    const trustCount = trust.length;
+    const verifyCount = verify.length;
+    const blindCount = blindSpots.length;
+    const parts = [];
+    if (trustCount > 0) {
+        parts.push(`${trustCount} high-confidence finding${trustCount > 1 ? "s" : ""} you can act on directly`);
+    }
+    if (verifyCount > 0) {
+        parts.push(`${verifyCount} finding${verifyCount > 1 ? "s" : ""} that need your judgment`);
+    }
+    if (blindCount > 0) {
+        parts.push(`${blindCount} area${blindCount > 1 ? "s" : ""} that automated analysis cannot evaluate`);
+    }
+    const summary = parts.length > 0
+        ? `Human reviewer: ${parts.join(", ")}. Focus your review time on the "Verify" and "Blind Spots" sections — the "Trust" findings have strong automated evidence.`
+        : "No findings — code looks clean. Focus your review on business logic correctness and architectural fit.";
+    return { trust, verify, blindSpots, summary };
+}
 /**
  * Cap the number of findings by priority-sorting and keeping only
  * the top N.  Ensures high-severity / high-confidence findings always survive.
@@ -571,6 +703,16 @@ export function evaluateWithTribunal(code, language, context, options) {
             }
         }
     }
+    // ── Regulatory scope filtering ──
+    // When regulatoryScope is set in config, suppress findings that cite ONLY
+    // out-of-scope regulatory frameworks.
+    let regulatorySuppressed = 0;
+    if (options?.config?.regulatoryScope && options.config.regulatoryScope.length > 0) {
+        const scopeResult = filterByRegulatoryScope(configFiltered, options.config.regulatoryScope);
+        configFiltered.length = 0;
+        configFiltered.push(...scopeResult.findings);
+        regulatorySuppressed = scopeResult.suppressed;
+    }
     // ── Feedback-driven confidence calibration & auto-tuning ──
     // When options.calibrate is set, load the feedback store and apply:
     // 1. Auto-suppression of rules with FP rate ≥ 80%
@@ -709,8 +851,27 @@ export function evaluateWithTribunal(code, language, context, options) {
             ...(owaspLlmTop10 ? { owaspLlmTop10 } : {}),
         };
     });
+    // ── Consensus-based suppression ──
+    // When consensusThreshold is set: if a supermajority of judges reported
+    // zero findings, suppress findings from the minority outlier judges.
+    // This catches cases where most judges agree code is clean but a few
+    // structurally over-flag (e.g. error-handling, testing).
+    let consensusSuppressed = 0;
+    let postConsensuFindings = allFindings;
+    const consensusThreshold = options?.config?.consensusThreshold;
+    if (consensusThreshold !== undefined && consensusThreshold > 0 && evaluations.length > 0) {
+        const zeroFindingJudges = evaluations.filter((e) => e.findings.length === 0).length;
+        const totalJudges = evaluations.length;
+        const cleanRatio = zeroFindingJudges / totalJudges;
+        if (cleanRatio >= consensusThreshold) {
+            // Majority says clean — suppress minority findings (keep critical severity)
+            const before = postConsensuFindings.length;
+            postConsensuFindings = postConsensuFindings.filter((f) => f.severity === "critical");
+            consensusSuppressed = before - postConsensuFindings.length;
+        }
+    }
     // ── Structured CWE/OWASP IDs and Learn More URLs ──
-    const enrichedFindings = enrichWithSecurityIds(allFindings);
+    const enrichedFindings = enrichWithSecurityIds(postConsensuFindings);
     const mustFixGate = evaluateMustFixGate(enrichedFindings, options?.mustFixGate);
     const criticalCount = enrichedFindings.filter((f) => f.severity === "critical").length;
     const highCount = enrichedFindings.filter((f) => f.severity === "high").length;
@@ -741,6 +902,7 @@ export function evaluateWithTribunal(code, language, context, options) {
             })),
         },
         reviewDecision: synthesizeReviewDecision(enrichedFindings),
+        humanFocusGuide: synthesizeHumanFocusGuide(enrichedFindings, code, language),
     };
     // ── Deep review prompt attachment (P0.1) ──
     // When deepReview is enabled, build and attach a structured LLM prompt

package/dist/evaluators/shared.js

@@ -1036,6 +1036,39 @@ export function formatVerdictAsMarkdown(verdict) {
             md += `---\n\n`;
         }
     }
+    // Human Focus Guide
+    if (verdict.humanFocusGuide) {
+        const guide = verdict.humanFocusGuide;
+        md += `## 👤 Human Reviewer Focus Guide\n\n`;
+        md += `${guide.summary}\n\n`;
+        if (guide.trust.length > 0) {
+            md += `### ✅ Trust (act on these directly)\n\n`;
+            md += `| Severity | Rule | Finding | Reason |\n|---|---|---|---|\n`;
+            for (const item of guide.trust.slice(0, 15)) {
+                md += `| ${item.severity} | \`${item.ruleId}\` | ${item.title} | ${item.reason} |\n`;
+            }
+            if (guide.trust.length > 15)
+                md += `\n*...and ${guide.trust.length - 15} more*\n`;
+            md += `\n`;
+        }
+        if (guide.verify.length > 0) {
+            md += `### 🔍 Verify (use your judgment)\n\n`;
+            md += `| Severity | Rule | Finding | Reason |\n|---|---|---|---|\n`;
+            for (const item of guide.verify.slice(0, 15)) {
+                md += `| ${item.severity} | \`${item.ruleId}\` | ${item.title} | ${item.reason} |\n`;
+            }
+            if (guide.verify.length > 15)
+                md += `\n*...and ${guide.verify.length - 15} more*\n`;
+            md += `\n`;
+        }
+        if (guide.blindSpots.length > 0) {
+            md += `### 🔦 Blind Spots (automated analysis cannot evaluate)\n\n`;
+            for (const spot of guide.blindSpots) {
+                md += `- **${spot.area}** — ${spot.guidance}\n`;
+            }
+            md += `\n`;
+        }
+    }
     return md;
 }
 // ─── Shared Credential / Placeholder Detection ──────────────────────────────

package/dist/judges/accessibility.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code has accessibility defects and actively hunt for them. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is accessible. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeAccessibility,
 };
 defaultRegistry.register(accessibilityJudge);

package/dist/judges/agent-instructions.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Assume instruction files are brittle until proven robust.
 - Never praise or compliment; report risks, ambiguities, and missing controls.
 - If uncertain, flag likely ambiguity only when you can cite specific evidence from the instruction file. Speculative findings without concrete evidence erode trust.
-- Absence of findings does not guarantee execution safety; state analysis limits when relevant.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code.`,
     analyze: analyzeAgentInstructions,
 };
 defaultRegistry.register(agentInstructionsJudge);

package/dist/judges/ai-code-safety.js

@@ -47,11 +47,20 @@ FALSE POSITIVE AVOIDANCE:
 - Missing AI-specific guardrails (content filtering, toxicity detection) are only relevant for AI-facing code.
 - Framework-level AI safety features (OpenAI content policy, Anthropic safety layers) are external controls — code calling these APIs is correctly delegating safety.
 
+CLEAN CODE RECOGNITION (if ALL of the following are true, report ZERO findings):
+- Input validation present on user-facing entry points
+- No eval(), exec(), or dynamic code generation from untrusted input
+- API keys/secrets not hardcoded (using environment variables or secret managers)
+- Dependencies from standard registries with no placeholder/example credentials
+- Error handling does not expose internal details to callers
+- No disabled security features (TLS verification, CORS restrictions)
+- Standard application code without AI/LLM interactions does not need AI safety review
+
 ADVERSARIAL MANDATE:
 - Assume the code was generated by an AI and has not been security-reviewed. Hunt for the patterns LLMs typically get wrong.
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If uncertain, flag the issue only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is safe. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeAiCodeSafety,
 };
 defaultRegistry.register(aiCodeSafetyJudge);

package/dist/judges/api-design.js

@@ -51,7 +51,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the API has design flaws and actively hunt for them. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the API is well-designed. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeApiDesign,
 };
 defaultRegistry.register(apiDesignJudge);

package/dist/judges/authentication.js

@@ -57,7 +57,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume authentication is broken and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean auth is secure. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeAuthentication,
 };
 defaultRegistry.register(authenticationJudge);

package/dist/judges/backwards-compatibility.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume backwards compatibility is not considered and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean compatibility is maintained. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeBackwardsCompatibility,
 };
 defaultRegistry.register(backwardsCompatibilityJudge);

package/dist/judges/caching.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the caching strategy is flawed or absent and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean caching is optimal. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeCaching,
 };
 defaultRegistry.register(cachingJudge);

package/dist/judges/ci-cd.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the CI/CD posture is weak and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean CI/CD is solid. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeCiCd,
 };
 defaultRegistry.register(ciCdJudge);

package/dist/judges/cloud-readiness.js

@@ -47,7 +47,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code is not cloud-ready and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is cloud-native. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeCloudReadiness,
 };
 defaultRegistry.register(cloudReadinessJudge);

package/dist/judges/code-structure.js

@@ -39,7 +39,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code has structural problems and actively hunt for complexity, dead code, and over-sized functions. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is well-structured. It means your analysis reached its limits. State this explicitly.
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.
 
 FALSE POSITIVE AVOIDANCE:
 - **Dict[str, Any] at serialization boundaries**: When code deserializes JSON (json.loads, JSON.parse, API responses), Dict[str, Any] / Record<string, any> is the correct type until schema validation narrows it. Do not flag dynamic types at JSON I/O boundaries when the schema is defined elsewhere (Pydantic model, TypedDict, Zod schema).

package/dist/judges/compliance.js

@@ -43,7 +43,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code has compliance gaps and actively hunt for them. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is compliant. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeCompliance,
 };
 defaultRegistry.register(complianceJudge);

package/dist/judges/concurrency.js

@@ -42,7 +42,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code has concurrency bugs and actively hunt for them. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is thread-safe. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeConcurrency,
 };
 defaultRegistry.register(concurrencyJudge);

package/dist/judges/configuration-management.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume configuration management is inadequate and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean configuration is properly managed. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeConfigurationManagement,
 };
 defaultRegistry.register(configurationManagementJudge);

package/dist/judges/cost-effectiveness.js

@@ -32,11 +32,19 @@ FALSE POSITIVE AVOIDANCE:
 - **Tree/hierarchy traversal**: Nested loops that iterate parent → children (e.g., chapters → sections → articles) visit each element once. Total work is O(total_items), NOT O(n²). Only flag quadratic cost when two independent collections are cross-joined.
 - **Bounded reference datasets**: Loaders for fixed-size data (regulations, schemas, configs with <1000 items) have bounded cost regardless of algorithm choice. Do not flag these as scaling cost concerns.
 
+CLEAN CODE RECOGNITION (if ALL of the following are true, report ZERO findings):
+- Database queries are targeted (no SELECT * on large tables without limits)
+- No unbounded loops or recursive calls on external data
+- Resources (connections, file handles, streams) cleaned up after use
+- No redundant network calls or duplicate computations in hot paths
+- Appropriate use of caching or memoization where data is re-read
+- Small utility functions, type definitions, and configuration code are inherently cost-neutral
+
 ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code wastes resources and actively hunt for inefficiencies. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is cost-effective. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeCostEffectiveness,
 };
 defaultRegistry.register(costEffectivenessJudge);

package/dist/judges/cybersecurity.js

@@ -57,7 +57,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code is vulnerable and actively hunt for exploits. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is secure. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeCybersecurity,
 };
 defaultRegistry.register(cybersecurityJudge);

package/dist/judges/data-security.js

@@ -44,7 +44,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code leaks or mishandles data and actively hunt for exposures. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean data is secure. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeDataSecurity,
 };
 defaultRegistry.register(dataSecurityJudge);

package/dist/judges/data-sovereignty.js

@@ -54,7 +54,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume sovereignty controls are missing unless explicitly shown.
 - Never praise or compliment the code. Report only gaps, risks, and deficiencies.
 - If uncertain, flag potential sovereignty exposure only when you can cite specific code evidence. Speculative findings without concrete evidence erode trust.
-- Absence of findings does not prove sovereignty compliance. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code.`,
     analyze: analyzeDataSovereignty,
 };
 defaultRegistry.register(dataSovereigntyJudge);

package/dist/judges/database.js

@@ -45,7 +45,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume database usage is unsafe and inefficient and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean database usage is optimal. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeDatabase,
 };
 defaultRegistry.register(databaseJudge);

package/dist/judges/dependency-health.js

@@ -42,7 +42,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the dependency tree has risks and actively hunt for them. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean dependencies are healthy. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeDependencyHealth,
 };
 defaultRegistry.register(dependencyHealthJudge);

package/dist/judges/documentation.js

@@ -49,7 +49,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the documentation is inadequate and actively hunt for gaps. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the documentation is good. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeDocumentation,
 };
 defaultRegistry.register(documentationJudge);

package/dist/judges/error-handling.js

@@ -49,7 +49,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume error handling is insufficient and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean error handling is complete. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeErrorHandling,
 };
 defaultRegistry.register(errorHandlingJudge);

package/dist/judges/ethics-bias.js

@@ -42,7 +42,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code has ethical risks or bias and actively hunt for them. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is ethical. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeEthicsBias,
 };
 defaultRegistry.register(ethicsBiasJudge);

package/dist/judges/framework-safety.js

@@ -39,11 +39,19 @@ FALSE POSITIVE AVOIDANCE:
 - Missing framework features (no CSRF middleware, no rate limiting) should be deferred to specialized judges (SEC, RATE) unless the framework provides them as defaults that were explicitly disabled.
 - Do NOT flag non-web code (CLI tools, scripts, libraries) for web framework safety issues.
 
+CLEAN CODE RECOGNITION (if ALL of the following are true, report ZERO findings):
+- Framework middleware/plugins used per official documentation
+- Security middleware enabled (helmet, CSRF protection, etc.) where applicable
+- No explicitly disabled built-in protections
+- Route handlers follow framework conventions
+- Template rendering uses auto-escaping (not disabled)
+- Non-web code (CLI tools, libraries, scripts) does not need web framework review
+
 ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code misuses framework APIs and actively hunt for violations. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code follows framework best practices. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeFrameworkSafety,
 };
 defaultRegistry.register(frameworkSafetyJudge);

package/dist/judges/hallucination-detection.js

@@ -42,7 +42,7 @@ ADVERSARIAL MANDATE:
 - Assume every API call could be hallucinated. Hunt for subtle mismatches between documented APIs and actual usage.
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is hallucination-free. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeHallucinationDetection,
 };
 defaultRegistry.register(hallucinationDetectionJudge);

package/dist/judges/iac-security.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the infrastructure code is insecure and actively hunt for misconfigurations. Back every finding with concrete code evidence (line numbers, resource definitions, configuration blocks).
 - Never praise or compliment the code. Report only problems, risks, and security gaps.
 - If you are uncertain whether something is a misconfiguration, flag it only when you can cite specific code evidence (line numbers, patterns, resource definitions). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is secure. It means your analysis reached its limits. State this explicitly.
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.
 - Pay special attention to defaults that are insecure when not explicitly configured (e.g., public access defaults, missing encryption defaults).`,
     analyze: analyzeIacSecurity,
 };

package/dist/judges/intent-alignment.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Assume every comment could be lying. Verify that implementations match their stated intent.
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is well-aligned. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeIntentAlignment,
 };
 defaultRegistry.register(intentAlignmentJudge);

package/dist/judges/internationalization.js

@@ -38,7 +38,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume the code will break in non-English locales and actively hunt for i18n defects. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean the code is internationalization-ready. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeInternationalization,
 };
 defaultRegistry.register(internationalizationJudge);

package/dist/judges/logging-privacy.js

@@ -40,7 +40,7 @@ ADVERSARIAL MANDATE:
 - Your role is adversarial: assume logs contain sensitive data and actively hunt for problems. Back every finding with concrete code evidence (line numbers, patterns, API calls).
 - Never praise or compliment the code. Report only problems, risks, and deficiencies.
 - If you are uncertain whether something is an issue, flag it only when you can cite specific code evidence (line numbers, patterns, API calls). Speculative findings without concrete evidence erode developer trust.
-- Absence of findings does not mean logging is privacy-safe. It means your analysis reached its limits. State this explicitly.`,
+- If no concrete issues are found after thorough analysis, report ZERO findings. An empty findings list is the correct output for well-written code \u2014 do not manufacture findings to fill the report.`,
     analyze: analyzeLoggingPrivacy,
 };
 defaultRegistry.register(loggingPrivacyJudge);

package/dist/judges/logic-review.js

@@ -30,7 +30,15 @@ FALSE POSITIVE AVOIDANCE:
 - Guard clauses that return early are NOT dead code
 - Feature flags intentionally create "dead" branches — skip if flag-guarded
 - Test files may intentionally test edge cases with unusual conditions
-- Framework-required patterns (e.g., exhaustive switch in Redux) are intentional`,
+- Framework-required patterns (e.g., exhaustive switch in Redux) are intentional
+
+CLEAN CODE RECOGNITION (if ALL of the following are true, report ZERO findings):
+- Control flow is straightforward with no inverted conditions or unreachable code
+- Functions return consistent types and handle edge cases
+- Boolean expressions read naturally without double negatives
+- Switch/match statements cover expected cases
+- No partial refactor artifacts, dead code, or contradictory logic
+- Guard clauses and early returns used appropriately`,
     analyze: analyzeLogicReview,
 };
 defaultRegistry.register(logicReviewJudge);