@kevinrabun/judges-cli 3.127.1 → 3.127.3

package/README.md

@@ -1,6 +1,6 @@
 # @kevinrabun/judges-cli
 
-Standalone CLI package for Judges.
+Standalone CLI package for the [Judges Panel](https://github.com/KevinRabun/judges) — 45 specialized judges that evaluate code for security, quality, compliance, and 40 more dimensions.
 
 ## Install
 
@@ -11,14 +11,46 @@ npm install -g @kevinrabun/judges-cli
 ## Usage
 
 ```bash
+# Evaluate code
 judges eval src/app.ts
+judges eval src/ --format sarif --output report.sarif
+judges eval src/app.ts --judge cybersecurity
+judges eval src/app.ts --preset strict --fail-on-findings
+
+# List judges and regulatory frameworks
 judges list
-judges hook install
+judges list --frameworks
+
+# Auto-fix findings
+judges fix src/app.ts --apply
 
 # Agentic skills
 judges skill ai-code-review --file src/app.ts
 judges skill security-review --file src/api.ts --format json
-judges skills   # list available skills
+judges skills
+
+# Self-teaching
+judges codify-amendments          # bake benchmark amendments into judge files
+judges codify-amendments --dry-run
 ```
 
-Use `@kevinrabun/judges` when you need the MCP server or programmatic API.
+## Configuration
+
+Create a `.judgesrc.json` in your project root:
+
+```json
+{
+  "preset": "strict",
+  "regulatoryScope": ["GDPR", "PCI-DSS"],
+  "disabledJudges": ["accessibility"],
+  "failOnFindings": true
+}
+```
+
+See the [full configuration reference](https://github.com/KevinRabun/judges#configuration) for all options.
+
+## Packages
+
+- **`@kevinrabun/judges-cli`** — This package. Binary `judges` for CI/CD pipelines.
+- **`@kevinrabun/judges`** — Programmatic API + MCP server.
+- **VS Code extension** — [`kevinrabun.judges-panel`](https://marketplace.visualstudio.com/items?itemName=kevinrabun.judges-panel).

package/dist/commands/llm-benchmark.js

@@ -153,7 +153,7 @@ export function parseLlmRuleIds(response) {
     // IDs mentioned in rationale text or findings tables of "clean" judge sections
     // from being counted as detections.
     const sections = response.split(/(?:^|\n)---\s*\n|(?=^## )/m);
-    const zeroFindingsPattern = /\*?\*?(?:ZERO|zero|0|no)\s+findings?\*?\*?|(?:findings?|issues?)[\s:]*\*?\*?(?:none|0|zero)\*?\*?|no\s+(?:issues?|findings?|problems?|concerns?)\s+(?:found|detected|identified|reported)|report(?:ing)?\s+zero|Score\s*[|:]\s*\*?\*?100\s*\/?\s*100\*?\*?/i;
+    const zeroFindingsPattern = /(?:ZERO|zero|0|no) findings?|findings?[:\s]*(?:none|0|zero)|no (?:issues|findings|problems|concerns) (?:found|detected|identified|reported)|reporting? zero|Score[|: ]*100/i;
     for (const section of sections) {
         // If this section explicitly declares zero/no findings or a perfect score,
         // skip rule ID extraction — any rule IDs are explanatory references

package/dist/evaluators/index.js

@@ -504,7 +504,7 @@ function synthesizeHumanFocusGuide(findings, code, language) {
             });
         }
         // State machines / workflow
-        const hasStateMachine = /state\s*[=:]\s*['"][^'"]+['"]|status\s*===?\s*['"]|transition|workflow|step.*next/i.test(code);
+        const hasStateMachine = /state\s*[=:]\s*['"][^'"]+['"]|status\s*===?\s*['"]|transition|workflow|step[\w\s]{0,20}next/i.test(code);
         if (hasStateMachine) {
             blindSpots.push({
                 area: "State Management / Workflow Logic",

package/dist/probabilistic/llm-response-validator.js

@@ -5,7 +5,10 @@ const SEVERITY_SET = new Set(["critical", "high", "medium", "low", "info"]);
  * Attempt to parse a JSON payload embedded in LLM output. Supports fenced code blocks and raw JSON.
  */
 function parseJsonBlock(text) {
-    const fenceMatch = text.match(/```(?:json)?[ \t]*\n([\s\S]*?)\n[ \t]*```/i) ?? text.match(/```(?:json)?[ \t]*([\s\S]*?)```/i);
+    // Extract JSON from fenced code blocks — limit search to first 50KB to prevent ReDoS on large input
+    const searchText = text.length > 50_000 ? text.slice(0, 50_000) : text;
+    const fenceMatch = searchText.match(/```(?:json)?\s*\n([\s\S]{0,20000}?)\n\s*```/i) ??
+        searchText.match(/```(?:json)?\s*([\s\S]{0,20000}?)```/i);
     if (fenceMatch) {
         try {
             return JSON.parse(fenceMatch[1]);

package/dist/reports/public-repo-report.js

@@ -216,13 +216,9 @@ function compileExcludeRegexes(patterns) {
     if (!patterns || patterns.length === 0)
         return [];
     return patterns.map((pattern) => {
-        try {
-            return new RegExp(pattern, "i");
-        }
-        catch {
-            // Invalid regex from user input — treat as literal string match
-            return new RegExp(pattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"), "i");
-        }
+        // Always escape user input to prevent regex injection, then compile
+        const escaped = pattern.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        return new RegExp(escaped, "i");
     });
 }
 function isLikelyNonProductionPath(path) {

package/dist/skill-loader.js

@@ -25,7 +25,7 @@ export function parseSkillFrontmatter(raw) {
             i++;
             continue;
         }
-        const kv = line.match(/^([a-zA-Z_][a-zA-Z0-9_-]*)[ \t]*:[ \t]*(.*)$/);
+        const kv = line.match(/^([a-zA-Z_][a-zA-Z0-9_-]*)[ \t]*:[ \t]*(.*?)$/s);
         if (!kv) {
             i++;
             continue;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kevinrabun/judges-cli",
-  "version": "3.127.1",
+  "version": "3.127.3",
   "description": "CLI wrapper for the Judges code review toolkit.",
   "type": "module",
   "main": "dist/cli.js",