@kevinrabun/judges 2.2.0 → 3.0.0

package/README.md

@@ -1,6 +1,6 @@
 # Judges Panel
 
-An MCP (Model Context Protocol) server that provides a panel of **33 specialized judges** to evaluate AI-generated code — acting as an independent quality gate regardless of which project is being reviewed. Includes **built-in AST analysis** powered by the TypeScript Compiler API — no separate parser server needed.
+An MCP (Model Context Protocol) server that provides a panel of **35 specialized judges** to evaluate AI-generated code — acting as an independent quality gate regardless of which project is being reviewed. Includes **built-in AST analysis** powered by the TypeScript Compiler API — no separate parser server needed.
 
 **Highlights:**
 - Includes an **App Builder Workflow (3-step)** demo for release decisions, plain-language risk summaries, and prioritized fixes — see [Try the Demo](#2-try-the-demo).
@@ -26,7 +26,7 @@ npm run build
 
 ### 2. Try the Demo
 
-Run the included demo to see all 33 judges evaluate a purposely flawed API server:
+Run the included demo to see all 35 judges evaluate a purposely flawed API server:
 
 ```bash
 npm run demo
@@ -270,6 +270,8 @@ This helps keep Copilot feedback aligned with Judges findings.
 | **CI/CD** | CI/CD Pipeline & Deployment Safety | `CICD-` | Test infrastructure, lint config, Docker tags, build scripts |
 | **Code Structure** | Structural Analysis (AST) | `STRUCT-` | Cyclomatic complexity, nesting depth, function length, dead code, type safety |
 | **Agent Instructions** | Agent Instruction Markdown Quality & Safety | `AGENT-` | Instruction hierarchy, conflict detection, unsafe overrides, scope, validation, policy guidance |
+| **AI Code Safety** | AI-Generated Code Safety | `AICS-` | Prompt injection, insecure LLM output handling, debug defaults, missing validation, unsafe deserialization of AI responses |
+| **Framework Safety** | Framework-Specific Safety | `FWSAFE-` | React hooks ordering, Express middleware chains, Next.js SSR/SSG pitfalls, Angular/Vue lifecycle patterns, framework-specific anti-patterns |
 
 ---
 
@@ -326,7 +328,7 @@ When your AI coding assistant connects to multiple MCP servers, each one contrib
   │   Judges     │  │  CVE / │  │ Linter │
   │   Panel      │  │  SBOM  │  │ Server │
   │ ─────────────│  └────────┘  └────────┘
-  │ 32 Heuristic │   Vuln DB     Style &
+  │ 33 Heuristic │   Vuln DB     Style &
   │   judges     │   scanning    correctness
   │ + AST judge  │
   └──────────────┘
@@ -337,7 +339,7 @@ When your AI coding assistant connects to multiple MCP servers, each one contrib
 
 | Layer | What It Does | Example Servers |
 |-------|-------------|-----------------|
-| **Judges Panel** | 33-judge quality gate — security patterns, AST analysis, cost, scalability, a11y, compliance, sovereignty, ethics, dependency health, agent instruction governance | This server |
+| **Judges Panel** | 35-judge quality gate — security patterns, AST analysis, cost, scalability, a11y, compliance, sovereignty, ethics, dependency health, agent instruction governance, AI code safety, framework safety | This server |
 | **CVE / SBOM** | Vulnerability scanning against live databases — known CVEs, license risks, supply chain | OSV, Snyk, Trivy, Grype MCP servers |
 | **Linting** | Language-specific style and correctness rules | ESLint, Ruff, Clippy MCP servers |
 | **Runtime Profiling** | Memory, CPU, latency measurement on running code | Custom profiling MCP servers |
@@ -408,11 +410,6 @@ Supports:
 ### `evaluate_public_repo_report`
 Clone a **public repository URL**, run the full judges panel across eligible source files, and generate a consolidated markdown report.
 
-Report prioritization behavior includes:
-- weighted risk ranking (`severity × confidence × fixability`)
-- root-cause clustering to collapse duplicate findings across files
-- actionable top-risk output with confidence and suggested-fix snippets when available
-
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
 | `repoUrl` | string | yes | Public repository URL (`https://...`) |
@@ -424,7 +421,9 @@ Report prioritization behavior includes:
 | `credentialMode` | string | no | Credential detection mode: `standard` (default) or `strict` |
 | `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
 | `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
-| `quickStart` | flag | no | Opinionated high-signal defaults for onboarding (`minConfidence=0.9`, `credentialMode=strict`, path exclusions) |
+| `enableMustFixGate` | boolean | no | Enable must-fix gate summary for high-confidence dangerous findings (default: false) |
+| `mustFixMinConfidence` | number | no | Confidence threshold for must-fix gate triggers (0-1, default: 0.85) |
+| `mustFixDangerousRulePrefixes` | string[] | no | Optional dangerous rule prefixes for gate matching (e.g., `AUTH`, `CYBER`, `DATA`) |
 | `keepClone` | boolean | no | Keep cloned repo on disk for inspection |
 
 **Quick examples**
@@ -443,6 +442,9 @@ npm run report:public-repo -- --repoUrl https://github.com/openclaw/openclaw --i
 # show only findings at 80%+ confidence
 npm run report:public-repo -- --repoUrl https://github.com/openclaw/openclaw --minConfidence 0.8 --output reports/openclaw-judges-report-high-confidence.md
 
+# include must-fix gate summary in the generated report
+npm run report:public-repo -- --repoUrl https://github.com/openclaw/openclaw --enableMustFixGate true --mustFixMinConfidence 0.9 --mustFixDangerousPrefix AUTH --mustFixDangerousPrefix CYBER --output reports/openclaw-judges-report-mustfix.md
+
 # opinionated quick-start mode (recommended first run)
 npm run report:quickstart -- --repoUrl https://github.com/openclaw/openclaw --output reports/openclaw-quickstart.md
 ```
@@ -460,6 +462,9 @@ Call from MCP client:
     "credentialMode": "strict",
     "includeAstFindings": false,
     "minConfidence": 0.8,
+    "enableMustFixGate": true,
+    "mustFixMinConfidence": 0.9,
+    "mustFixDangerousRulePrefixes": ["AUTH", "CYBER", "DATA"],
     "outputPath": "reports/vscode-judges-report.md"
   }
 }
@@ -469,8 +474,7 @@ Typical response summary includes:
 - overall verdict and average score
 - analyzed file count and total findings
 - per-judge score table
-- highest-risk findings with risk scores and occurrence counts
-- unique root-cause cluster count and lowest-scoring files
+- highest-risk findings and lowest-scoring files
 
 Sample report snippet:
 
@@ -489,7 +493,7 @@ Generated from https://github.com/microsoft/vscode on 2026-02-21T12:00:00.000Z.
 List all available judges with their domains and descriptions.
 
 ### `evaluate_code`
-Submit code to the **full judges panel**. All 33 judges evaluate independently and return a combined verdict.
+Submit code to the **full judges panel**. All 35 judges evaluate independently and return a combined verdict.
 
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
@@ -498,6 +502,7 @@ Submit code to the **full judges panel**. All 33 judges evaluate independently a
 | `context` | string | no | Additional context about the code |
 | `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
 | `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
+| `config` | object | no | Inline configuration (see [Configuration](#configuration)) |
 
 ### `evaluate_code_single_judge`
 Submit code to a **specific judge** for targeted review.
@@ -509,9 +514,10 @@ Submit code to a **specific judge** for targeted review.
 | `judgeId` | string | yes | See [judge IDs](#judge-ids) below |
 | `context` | string | no | Additional context |
 | `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
+| `config` | object | no | Inline configuration (see [Configuration](#configuration)) |
 
 ### `evaluate_project`
-Submit multiple files for **project-level analysis**. All 33 judges evaluate each file, plus cross-file architectural analysis detects code duplication, inconsistent error handling, and dependency cycles.
+Submit multiple files for **project-level analysis**. All 35 judges evaluate each file, plus cross-file architectural analysis detects code duplication, inconsistent error handling, and dependency cycles.
 
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
@@ -519,9 +525,10 @@ Submit multiple files for **project-level analysis**. All 33 judges evaluate eac
 | `context` | string | no | Optional project context |
 | `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
 | `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
+| `config` | object | no | Inline configuration (see [Configuration](#configuration)) |
 
 ### `evaluate_diff`
-Evaluate only the **changed lines** in a code diff. Runs all 33 judges on the full file but filters findings to lines you specify. Ideal for PR reviews and incremental analysis.
+Evaluate only the **changed lines** in a code diff. Runs all 35 judges on the full file but filters findings to lines you specify. Ideal for PR reviews and incremental analysis.
 
 | Parameter | Type | Required | Description |
 |-----------|------|----------|-------------|
@@ -531,6 +538,7 @@ Evaluate only the **changed lines** in a code diff. Runs all 33 judges on the fu
 | `context` | string | no | Optional context about the change |
 | `includeAstFindings` | boolean | no | Include AST/code-structure findings (default: true) |
 | `minConfidence` | number | no | Minimum finding confidence to include (0-1, default: 0) |
+| `config` | object | no | Inline configuration (see [Configuration](#configuration)) |
 
 ### `analyze_dependencies`
 Analyze a dependency manifest file for supply-chain risks, version pinning issues, typosquatting indicators, and dependency hygiene. Supports `package.json`, `requirements.txt`, `Cargo.toml`, `go.mod`, `pom.xml`, and `.csproj` files.
@@ -543,7 +551,7 @@ Analyze a dependency manifest file for supply-chain risks, version pinning issue
 
 #### Judge IDs
 
-`data-security` · `cybersecurity` · `cost-effectiveness` · `scalability` · `cloud-readiness` · `software-practices` · `accessibility` · `api-design` · `reliability` · `observability` · `performance` · `compliance` · `data-sovereignty` · `testing` · `documentation` · `internationalization` · `dependency-health` · `concurrency` · `ethics-bias` · `maintainability` · `error-handling` · `authentication` · `database` · `caching` · `configuration-management` · `backwards-compatibility` · `portability` · `ux` · `logging-privacy` · `rate-limiting` · `ci-cd` · `code-structure` · `agent-instructions`
+`data-security` · `cybersecurity` · `cost-effectiveness` · `scalability` · `cloud-readiness` · `software-practices` · `accessibility` · `api-design` · `reliability` · `observability` · `performance` · `compliance` · `data-sovereignty` · `testing` · `documentation` · `internationalization` · `dependency-health` · `concurrency` · `ethics-bias` · `maintainability` · `error-handling` · `authentication` · `database` · `caching` · `configuration-management` · `backwards-compatibility` · `portability` · `ux` · `logging-privacy` · `rate-limiting` · `ci-cd` · `code-structure` · `agent-instructions` · `ai-code-safety` · `framework-safety`
 
 ---
 
@@ -586,7 +594,98 @@ Each judge has a corresponding prompt for LLM-powered deep analysis:
 | `judge-ci-cd` | Deep CI/CD pipeline review |
 | `judge-code-structure` | Deep AST-based structural analysis review |
 | `judge-agent-instructions` | Deep review of agent instruction markdown quality and safety |
-| `full-tribunal` | All 33 judges in a single prompt |
+| `judge-ai-code-safety` | Deep review of AI-generated code risks: prompt injection, insecure LLM output handling, debug defaults, missing validation |
+| `judge-framework-safety` | Deep review of framework-specific safety: React hooks, Express middleware, Next.js SSR/SSG, Angular/Vue patterns |
+| `full-tribunal` | All 35 judges in a single prompt |
+
+---
+
+## Configuration
+
+All evaluation tools accept an optional `config` parameter for inline configuration. This is the same format as `.judgesrc` / `.judgesrc.json` project files.
+
+```json
+{
+  "config": {
+    "disabledRules": ["COST-*", "I18N-001"],
+    "disabledJudges": ["accessibility", "ethics-bias"],
+    "minSeverity": "medium",
+    "ruleOverrides": {
+      "SEC-003": { "severity": "critical" },
+      "DOC-*": { "disabled": true }
+    }
+  }
+}
+```
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `disabledRules` | `string[]` | Rule IDs or prefix wildcards to suppress (e.g., `"COST-*"`, `"SEC-003"`) |
+| `disabledJudges` | `string[]` | Judge IDs to skip entirely (e.g., `"cost-effectiveness"`) |
+| `minSeverity` | `string` | Minimum severity to report: `critical`, `high`, `medium`, `low`, `info` |
+| `ruleOverrides` | `object` | Per-rule overrides keyed by rule ID or wildcard — `{ disabled?: boolean, severity?: string }` |
+
+---
+
+## Advanced Features
+
+### Inline Suppressions
+
+Suppress specific findings directly in source code using comment directives:
+
+```typescript
+const x = eval(input); // judges-ignore SEC-001
+// judges-ignore-next-line CYBER-002
+const y = dangerousOperation();
+// judges-file-ignore DOC-*    ← suppress globally for this file
+```
+
+Supported comment styles: `//`, `#`, `/* */`. Supports comma-separated rule IDs and wildcards (`*`, `SEC-*`).
+
+### Auto-Fix Patches
+
+Certain findings include machine-applicable patches in the `patch` field:
+
+| Pattern | Auto-Fix |
+|---------|----------|
+| `new Buffer(x)` | → `Buffer.from(x)` |
+| `http://` URLs (non-localhost) | → `https://` |
+| `Math.random()` | → `crypto.randomUUID()` |
+
+Patches include `oldText`, `newText`, `startLine`, and `endLine` for automated application.
+
+### Cross-Evaluator Deduplication
+
+When multiple judges flag the same issue (e.g., both Data Security and Cybersecurity detect SQL injection on line 15), findings are automatically deduplicated. The highest-severity finding wins, and the description is annotated with cross-references (e.g., *"Also identified by: CYBER-003"*).
+
+### Taint Flow Analysis
+
+The engine performs inter-procedural taint tracking to trace data from user-controlled sources (e.g., `req.body`, `process.env`) through transformations to security-sensitive sinks (e.g., `eval()`, `exec()`, SQL queries). Taint flows are used to boost confidence on true-positive findings and suppress false positives where sanitization is detected.
+
+### Positive Signal Detection
+
+Code that demonstrates good practices receives score bonuses (capped at +15):
+
+| Signal | Bonus |
+|--------|-------|
+| Parameterized queries | +3 |
+| Security headers (helmet) | +3 |
+| Auth middleware (passport, etc.) | +3 |
+| Proper error handling | +2 |
+| Input validation libs (zod, joi, etc.) | +2 |
+| Rate limiting | +2 |
+| Structured logging (pino, winston) | +2 |
+| CORS configuration | +1 |
+| Strict mode / strictNullChecks | +1 |
+| Test patterns (describe/it/expect) | +1 |
+
+### Framework-Aware Rules
+
+Judges include framework-specific detection for Express, Django, Flask, FastAPI, Spring, ASP.NET, Rails, and more. Framework middleware (e.g., `helmet()`, `express-rate-limit`, `passport.authenticate()`) is recognized as mitigation, reducing false positives.
+
+### Cross-File Import Resolution
+
+In project-level analysis, imports are resolved across files. If one file imports a security middleware module from another file in the project, findings about missing security controls are automatically adjusted with reduced confidence.
 
 ---
 
@@ -607,7 +706,7 @@ Each judge scores the code from **0 to 100**:
 - **WARNING** — Any high finding, any medium finding, or score < 80
 - **PASS** — Score ≥ 80 with no critical, high, or medium findings
 
-The **overall tribunal score** is the average of all 33 judges. The overall verdict fails if **any** judge fails.
+The **overall tribunal score** is the average of all 35 judges. The overall verdict fails if **any** judge fails.
 
 ---
 
@@ -618,6 +717,8 @@ judges/
 ├── src/
 │   ├── index.ts              # MCP server entry point — tools, prompts, transport
 │   ├── types.ts              # TypeScript interfaces (Finding, JudgeEvaluation, etc.)
+│   ├── config.ts             # .judgesrc configuration parser and validation
+│   ├── language-patterns.ts  # Multi-language regex pattern constants and helpers
 │   ├── ast/                  # AST analysis engine (built-in, no external deps)
 │   │   ├── index.ts          # analyzeStructure() — routes to correct parser
 │   │   ├── types.ts          # FunctionInfo, CodeStructure interfaces
@@ -626,12 +727,12 @@ judges/
 │   ├── evaluators/           # Analysis engine for each judge
 │   │   ├── index.ts          # evaluateWithJudge(), evaluateWithTribunal(), evaluateProject(), etc.
 │   │   ├── shared.ts         # Scoring, verdict logic, markdown formatters
-│   │   └── *.ts              # One analyzer per judge (33 files)
+│   │   └── *.ts              # One analyzer per judge (35 files)
 │   ├── reports/
 │   │   └── public-repo-report.ts   # Public repo clone + full tribunal report generation
 │   └── judges/               # Judge definitions (id, name, domain, system prompt)
 │       ├── index.ts          # JUDGES array, getJudge(), getJudgeSummaries()
-│       └── *.ts              # One definition per judge (33 files)
+│       └── *.ts              # One definition per judge (35 files)
 ├── scripts/
 │   ├── generate-public-repo-report.ts  # Run: npm run report:public-repo -- --repoUrl <url>
 │   └── daily-popular-repo-autofix.ts   # Run: npm run automation:daily-popular
@@ -674,6 +775,21 @@ This repo includes a scheduled workflow at `.github/workflows/daily-popular-repo
 - skips repositories unless they are public and PR creation is possible with existing GitHub auth (no additional auth flow).
 - enforces hard runtime caps of 10 repositories/day and 5 PRs/repository.
 
+Each run writes `daily-autofix-summary.json` (or `SUMMARY_PATH`) with per-repository telemetry, including:
+- `runAggregate` — compact run-level totals and cross-repo top prioritized rules,
+- `runAggregate.totalCandidatesDiscovered` and `runAggregate.totalCandidatesAfterLocationDedupe` — signal how much overlap was removed before attempting fixes,
+- `runAggregate.totalCandidatesAfterPriorityThreshold` — candidates that remain after applying minimum priority score,
+- `runAggregate.dedupeReductionPercent` — percent reduction from location dedupe for quick runtime-efficiency tracking,
+- `runAggregate.priorityThresholdReductionPercent` — percent reduction from minimum-priority filtering after dedupe,
+- `priorityRulePrefixesUsed` — dangerous rule prefixes used during prioritization,
+- `minPriorityScoreUsed` — minimum `candidatePriorityScore` applied for candidate inclusion,
+- `candidatesDiscovered`, `candidatesAfterLocationDedupe`, and `candidatesAfterPriorityThreshold` — per-repo candidate counts after each filter stage,
+- `topPrioritizedRuleCounts` — most common rule IDs among ranked candidates,
+- `topPrioritizedCandidates` — top ranked candidate samples (rule, severity, confidence, file, line, priority score).
+
+Optional runtime control:
+- `AUTOFIX_MIN_PRIORITY_SCORE` — minimum candidate priority score required after dedupe (default: `0`, disabled).
+
 Required secret:
 - `JUDGES_AUTOFIX_GH_TOKEN` — GitHub token with permission to fork/push/create PRs for target repositories.
 
@@ -684,6 +800,73 @@ gh workflow run "Judges Daily Full-Run Autofix PRs" -f targetRepoUrl=https://git
 
 ---
 
+## Programmatic API
+
+Judges can be consumed as a library (not just via MCP). Import from `@kevinrabun/judges/api`:
+
+```typescript
+import {
+  evaluateCode,
+  evaluateProject,
+  evaluateCodeSingleJudge,
+  getJudge,
+  JUDGES,
+  findingsToSarif,
+} from "@kevinrabun/judges/api";
+
+// Full tribunal evaluation
+const verdict = evaluateCode("const x = eval(input);", "typescript");
+console.log(verdict.overallScore, verdict.overallVerdict);
+
+// Single judge
+const result = evaluateCodeSingleJudge("cybersecurity", code, "typescript");
+
+// SARIF output for CI integration
+const sarif = findingsToSarif(verdict.evaluations.flatMap(e => e.findings));
+```
+
+### Package Exports
+
+| Entry Point | Description |
+|---|---|
+| `@kevinrabun/judges/api` | Programmatic API (default) |
+| `@kevinrabun/judges/server` | MCP server entry point |
+| `@kevinrabun/judges/sarif` | SARIF 2.1.0 formatter |
+
+### SARIF Output
+
+Convert findings to [SARIF 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) for GitHub Code Scanning, Azure DevOps, and other CI/CD tools:
+
+```typescript
+import { findingsToSarif, evaluationToSarif, verdictToSarif } from "@kevinrabun/judges/sarif";
+
+const sarif = verdictToSarif(verdict, "src/app.ts");
+fs.writeFileSync("results.sarif", JSON.stringify(sarif, null, 2));
+```
+
+---
+
+## Custom Error Types
+
+All thrown errors extend `JudgesError` with a machine-readable `code` property:
+
+| Error Class | Code | When |
+|---|---|---|
+| `ConfigError` | `JUDGES_CONFIG_INVALID` | Malformed `.judgesrc` or invalid inline config |
+| `EvaluationError` | `JUDGES_EVALUATION_FAILED` | Unknown judge, analyzer crash |
+| `ParseError` | `JUDGES_PARSE_FAILED` | Unparseable source code or input data |
+
+```typescript
+import { ConfigError, EvaluationError } from "@kevinrabun/judges/api";
+try {
+  evaluateCode(code, "typescript");
+} catch (e) {
+  if (e instanceof ConfigError) console.error("Config issue:", e.code);
+}
+```
+
+---
+
 ## License
 
 MIT

package/dist/api.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Judges Panel — Programmatic API
+ *
+ * Public entry-point for consuming judges as a library (not via MCP).
+ *
+ * ```ts
+ * import { evaluateCode, evaluateProject, getJudges } from "@kevinrabun/judges/api";
+ * const result = evaluateCode("const x = eval(input);", "typescript");
+ * ```
+ */
+export type { Severity, Verdict, Finding, Patch, LangFamily, JudgesConfig, RuleOverride, ProjectFile, ProjectVerdict, DiffVerdict, DependencyEntry, DependencyVerdict, JudgeEvaluation, TribunalVerdict, JudgeDefinition, EvaluationContextV2, EvidenceBundleV2, SpecializedFindingV2, TribunalVerdictV2, MustFixGateOptions, MustFixGateResult, AppBuilderWorkflowResult, PlainLanguageFinding, WorkflowTask, PolicyProfile, } from "./types.js";
+export { JudgesError, ConfigError, EvaluationError, ParseError } from "./errors.js";
+export { parseConfig, defaultConfig } from "./config.js";
+export { JUDGES, getJudge, getJudgeSummaries } from "./judges/index.js";
+export { evaluateWithJudge, evaluateWithTribunal, evaluateProject, evaluateDiff, analyzeDependencies, enrichWithPatches, crossEvaluatorDedup, applyInlineSuppressions, runAppBuilderWorkflow, formatVerdictAsMarkdown, formatEvaluationAsMarkdown, } from "./evaluators/index.js";
+export { evaluateCodeV2, evaluateProjectV2, getSupportedPolicyProfiles } from "./evaluators/v2.js";
+export { analyzeCrossFileTaint } from "./ast/cross-file-taint.js";
+export { findingsToSarif, evaluationToSarif, verdictToSarif } from "./formatters/sarif.js";
+import type { EvaluationOptions } from "./evaluators/index.js";
+import type { JudgeEvaluation, TribunalVerdict } from "./types.js";
+/**
+ * Evaluate code against the full panel of judges (convenience wrapper).
+ *
+ * @param code     - Source code to evaluate
+ * @param language - Programming language (e.g. "typescript", "python")
+ * @param options  - Optional config, context, target judges, etc.
+ * @returns Full tribunal verdict with per-judge evaluations and overall score
+ */
+export declare function evaluateCode(code: string, language: string, options?: EvaluationOptions): TribunalVerdict;
+/**
+ * Evaluate code with a single judge by name (convenience wrapper).
+ *
+ * @param judgeId  - The judge identifier (e.g. "cybersecurity", "performance")
+ * @param code     - Source code to evaluate
+ * @param language - Programming language
+ * @param options  - Optional config
+ * @returns Single-judge evaluation with findings and score
+ */
+export declare function evaluateCodeSingleJudge(judgeId: string, code: string, language: string, options?: EvaluationOptions): JudgeEvaluation;
+//# sourceMappingURL=api.d.ts.map

package/dist/api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,YAAY,EACV,QAAQ,EACR,OAAO,EACP,OAAO,EACP,KAAK,EACL,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,WAAW,EACX,cAAc,EACd,WAAW,EACX,eAAe,EACf,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,eAAe,EACf,mBAAmB,EACnB,gBAAgB,EAChB,oBAAoB,EACpB,iBAAiB,EACjB,kBAAkB,EAClB,iBAAiB,EACjB,wBAAwB,EACxB,oBAAoB,EACpB,YAAY,EACZ,aAAa,GACd,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAGpF,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAGzD,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAIxE,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,EACnB,uBAAuB,EACvB,qBAAqB,EACrB,uBAAuB,EACvB,0BAA0B,GAC3B,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAGnG,OAAO,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAGlE,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAK3F,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,KAAK,EAAE,eAAe,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAInE;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,iBAAiB,GAAG,eAAe,CAEzG;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,eAAe,CAMjB"}

package/dist/api.js

@@ -0,0 +1,56 @@
+/**
+ * Judges Panel — Programmatic API
+ *
+ * Public entry-point for consuming judges as a library (not via MCP).
+ *
+ * ```ts
+ * import { evaluateCode, evaluateProject, getJudges } from "@kevinrabun/judges/api";
+ * const result = evaluateCode("const x = eval(input);", "typescript");
+ * ```
+ */
+// ─── Errors ──────────────────────────────────────────────────────────────────
+export { JudgesError, ConfigError, EvaluationError, ParseError } from "./errors.js";
+// ─── Config ──────────────────────────────────────────────────────────────────
+export { parseConfig, defaultConfig } from "./config.js";
+// ─── Judge Registry ──────────────────────────────────────────────────────────
+export { JUDGES, getJudge, getJudgeSummaries } from "./judges/index.js";
+// ─── Core Evaluation Functions ───────────────────────────────────────────────
+export { evaluateWithJudge, evaluateWithTribunal, evaluateProject, evaluateDiff, analyzeDependencies, enrichWithPatches, crossEvaluatorDedup, applyInlineSuppressions, runAppBuilderWorkflow, formatVerdictAsMarkdown, formatEvaluationAsMarkdown, } from "./evaluators/index.js";
+// ─── V2 Policy-Aware API ────────────────────────────────────────────────────
+export { evaluateCodeV2, evaluateProjectV2, getSupportedPolicyProfiles } from "./evaluators/v2.js";
+// ─── Cross-File Taint Analysis ───────────────────────────────────────────────
+export { analyzeCrossFileTaint } from "./ast/cross-file-taint.js";
+// ─── Formatters ──────────────────────────────────────────────────────────────
+export { findingsToSarif, evaluationToSarif, verdictToSarif } from "./formatters/sarif.js";
+// ─── Convenience Aliases ─────────────────────────────────────────────────────
+import { evaluateWithTribunal, evaluateWithJudge } from "./evaluators/index.js";
+import { getJudge } from "./judges/index.js";
+import { EvaluationError } from "./errors.js";
+/**
+ * Evaluate code against the full panel of judges (convenience wrapper).
+ *
+ * @param code     - Source code to evaluate
+ * @param language - Programming language (e.g. "typescript", "python")
+ * @param options  - Optional config, context, target judges, etc.
+ * @returns Full tribunal verdict with per-judge evaluations and overall score
+ */
+export function evaluateCode(code, language, options) {
+    return evaluateWithTribunal(code, language, undefined, options);
+}
+/**
+ * Evaluate code with a single judge by name (convenience wrapper).
+ *
+ * @param judgeId  - The judge identifier (e.g. "cybersecurity", "performance")
+ * @param code     - Source code to evaluate
+ * @param language - Programming language
+ * @param options  - Optional config
+ * @returns Single-judge evaluation with findings and score
+ */
+export function evaluateCodeSingleJudge(judgeId, code, language, options) {
+    const judge = getJudge(judgeId);
+    if (!judge) {
+        throw new EvaluationError(`Unknown judge: "${judgeId}"`, judgeId);
+    }
+    return evaluateWithJudge(judge, code, language, undefined, options);
+}
+//# sourceMappingURL=api.js.map

package/dist/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../src/api.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AA+BH,gFAAgF;AAChF,OAAO,EAAE,WAAW,EAAE,WAAW,EAAE,eAAe,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEpF,gFAAgF;AAChF,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEzD,gFAAgF;AAChF,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,MAAM,mBAAmB,CAAC;AAExE,gFAAgF;AAEhF,OAAO,EACL,iBAAiB,EACjB,oBAAoB,EACpB,eAAe,EACf,YAAY,EACZ,mBAAmB,EACnB,iBAAiB,EACjB,mBAAmB,EACnB,uBAAuB,EACvB,qBAAqB,EACrB,uBAAuB,EACvB,0BAA0B,GAC3B,MAAM,uBAAuB,CAAC;AAE/B,+EAA+E;AAC/E,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,MAAM,oBAAoB,CAAC;AAEnG,gFAAgF;AAChF,OAAO,EAAE,qBAAqB,EAAE,MAAM,2BAA2B,CAAC;AAElE,gFAAgF;AAChF,OAAO,EAAE,eAAe,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAE3F,gFAAgF;AAEhF,OAAO,EAAE,oBAAoB,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAGhF,OAAO,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAC7C,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C;;;;;;;GAOG;AACH,MAAM,UAAU,YAAY,CAAC,IAAY,EAAE,QAAgB,EAAE,OAA2B;IACtF,OAAO,oBAAoB,CAAC,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AAClE,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,uBAAuB,CACrC,OAAe,EACf,IAAY,EACZ,QAAgB,EAChB,OAA2B;IAE3B,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;IAChC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,eAAe,CAAC,mBAAmB,OAAO,GAAG,EAAE,OAAO,CAAC,CAAC;IACpE,CAAC;IACD,OAAO,iBAAiB,CAAC,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;AACtE,CAAC"}

package/dist/ast/cross-file-taint.d.ts

@@ -0,0 +1,43 @@
+import { type TaintSourceKind, type TaintSinkKind } from "./taint-tracker.js";
+/**
+ * A cross-file taint flow: tainted data originates in one file and reaches
+ * a dangerous sink in a different file via an import/export boundary.
+ */
+export interface CrossFileTaintFlow {
+    /** File where the untrusted data originates */
+    sourceFile: string;
+    /** File where the tainted data reaches a dangerous sink */
+    sinkFile: string;
+    /** The original taint source (e.g., req.body) */
+    source: {
+        line: number;
+        expression: string;
+        kind: TaintSourceKind;
+    };
+    /** The dangerous sink in the consuming file */
+    sink: {
+        line: number;
+        api: string;
+        kind: TaintSinkKind;
+    };
+    /** The exported name that carries taint across the boundary */
+    exportedBinding: string;
+    /** The imported name in the consuming file */
+    importedAs: string;
+    /** Confidence score (reduced for indirect flows) */
+    confidence: number;
+}
+/**
+ * Analyze taint flows across multiple files in a project. Traces tainted data
+ * from sources in one file through export/import boundaries to sinks in
+ * another file.
+ *
+ * Returns both intra-file flows (from the standard taint tracker) and
+ * cross-file flows where taint crosses module boundaries.
+ */
+export declare function analyzeCrossFileTaint(files: Array<{
+    path: string;
+    content: string;
+    language: string;
+}>): CrossFileTaintFlow[];
+//# sourceMappingURL=cross-file-taint.d.ts.map

package/dist/ast/cross-file-taint.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cross-file-taint.d.ts","sourceRoot":"","sources":["../../src/ast/cross-file-taint.ts"],"names":[],"mappings":"AAeA,OAAO,EAAqC,KAAK,eAAe,EAAE,KAAK,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAKjH;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IACjC,+CAA+C;IAC/C,UAAU,EAAE,MAAM,CAAC;IACnB,2DAA2D;IAC3D,QAAQ,EAAE,MAAM,CAAC;IACjB,iDAAiD;IACjD,MAAM,EAAE;QACN,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,CAAC;QACnB,IAAI,EAAE,eAAe,CAAC;KACvB,CAAC;IACF,+CAA+C;IAC/C,IAAI,EAAE;QACJ,IAAI,EAAE,MAAM,CAAC;QACb,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,aAAa,CAAC;KACrB,CAAC;IACF,+DAA+D;IAC/D,eAAe,EAAE,MAAM,CAAC;IACxB,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,oDAAoD;IACpD,UAAU,EAAE,MAAM,CAAC;CACpB;AAkjBD;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,KAAK,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,CAAC,GAChE,kBAAkB,EAAE,CA4KtB"}