npm - @kevinrabun/judges - Versions diffs - 2.3.0 → 3.0.1 - Mend

@kevinrabun/judges 2.3.0 → 3.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (321) hide show

package/README.md +177 -12
package/dist/api.d.ts +40 -0
package/dist/api.d.ts.map +1 -0
package/dist/api.js +56 -0
package/dist/api.js.map +1 -0
package/dist/ast/cross-file-taint.d.ts +43 -0
package/dist/ast/cross-file-taint.d.ts.map +1 -0
package/dist/ast/cross-file-taint.js +713 -0
package/dist/ast/cross-file-taint.js.map +1 -0
package/dist/ast/index.d.ts +4 -0
package/dist/ast/index.d.ts.map +1 -1
package/dist/ast/index.js +5 -0
package/dist/ast/index.js.map +1 -1
package/dist/ast/structural-parser.d.ts.map +1 -1
package/dist/ast/structural-parser.js +66 -11
package/dist/ast/structural-parser.js.map +1 -1
package/dist/ast/taint-tracker.d.ts +35 -0
package/dist/ast/taint-tracker.d.ts.map +1 -0
package/dist/ast/taint-tracker.js +518 -0
package/dist/ast/taint-tracker.js.map +1 -0
package/dist/ast/types.d.ts +2 -0
package/dist/ast/types.d.ts.map +1 -1
package/dist/ast/typescript-ast.d.ts.map +1 -1
package/dist/ast/typescript-ast.js +25 -5
package/dist/ast/typescript-ast.js.map +1 -1
package/dist/config.d.ts.map +1 -1
package/dist/config.js +10 -9
package/dist/config.js.map +1 -1
package/dist/dedup.d.ts +19 -0
package/dist/dedup.d.ts.map +1 -0
package/dist/dedup.js +222 -0
package/dist/dedup.js.map +1 -0
package/dist/errors.d.ts +37 -0
package/dist/errors.d.ts.map +1 -0
package/dist/errors.js +57 -0
package/dist/errors.js.map +1 -0
package/dist/evaluators/accessibility.d.ts +1 -1
package/dist/evaluators/accessibility.d.ts.map +1 -1
package/dist/evaluators/accessibility.js +22 -16
package/dist/evaluators/accessibility.js.map +1 -1
package/dist/evaluators/agent-instructions.d.ts +1 -1
package/dist/evaluators/agent-instructions.d.ts.map +1 -1
package/dist/evaluators/agent-instructions.js +1 -2
package/dist/evaluators/agent-instructions.js.map +1 -1
package/dist/evaluators/ai-code-safety.d.ts +1 -1
package/dist/evaluators/ai-code-safety.d.ts.map +1 -1
package/dist/evaluators/ai-code-safety.js +2 -6
package/dist/evaluators/ai-code-safety.js.map +1 -1
package/dist/evaluators/api-design.d.ts +1 -1
package/dist/evaluators/api-design.d.ts.map +1 -1
package/dist/evaluators/api-design.js +2 -1
package/dist/evaluators/api-design.js.map +1 -1
package/dist/evaluators/app-builder.d.ts +34 -0
package/dist/evaluators/app-builder.d.ts.map +1 -0
package/dist/evaluators/app-builder.js +156 -0
package/dist/evaluators/app-builder.js.map +1 -0
package/dist/evaluators/authentication.d.ts +1 -1
package/dist/evaluators/authentication.d.ts.map +1 -1
package/dist/evaluators/authentication.js +2 -66
package/dist/evaluators/authentication.js.map +1 -1
package/dist/evaluators/backwards-compatibility.d.ts +1 -1
package/dist/evaluators/backwards-compatibility.d.ts.map +1 -1
package/dist/evaluators/backwards-compatibility.js.map +1 -1
package/dist/evaluators/caching.d.ts +1 -1
package/dist/evaluators/caching.d.ts.map +1 -1
package/dist/evaluators/caching.js.map +1 -1
package/dist/evaluators/ci-cd.d.ts +1 -1
package/dist/evaluators/ci-cd.d.ts.map +1 -1
package/dist/evaluators/ci-cd.js +4 -4
package/dist/evaluators/ci-cd.js.map +1 -1
package/dist/evaluators/cloud-readiness.d.ts +1 -1
package/dist/evaluators/cloud-readiness.d.ts.map +1 -1
package/dist/evaluators/cloud-readiness.js.map +1 -1
package/dist/evaluators/code-structure.d.ts +1 -1
package/dist/evaluators/code-structure.d.ts.map +1 -1
package/dist/evaluators/code-structure.js +2 -6
package/dist/evaluators/code-structure.js.map +1 -1
package/dist/evaluators/compliance.d.ts +1 -1
package/dist/evaluators/compliance.d.ts.map +1 -1
package/dist/evaluators/compliance.js +15 -6
package/dist/evaluators/compliance.js.map +1 -1
package/dist/evaluators/concurrency.d.ts +1 -1
package/dist/evaluators/concurrency.d.ts.map +1 -1
package/dist/evaluators/concurrency.js +9 -4
package/dist/evaluators/concurrency.js.map +1 -1
package/dist/evaluators/configuration-management.d.ts +1 -1
package/dist/evaluators/configuration-management.d.ts.map +1 -1
package/dist/evaluators/configuration-management.js +7 -2
package/dist/evaluators/configuration-management.js.map +1 -1
package/dist/evaluators/cost-effectiveness.d.ts +1 -1
package/dist/evaluators/cost-effectiveness.d.ts.map +1 -1
package/dist/evaluators/cost-effectiveness.js +1 -3
package/dist/evaluators/cost-effectiveness.js.map +1 -1
package/dist/evaluators/cybersecurity.d.ts +1 -1
package/dist/evaluators/cybersecurity.d.ts.map +1 -1
package/dist/evaluators/cybersecurity.js +50 -1
package/dist/evaluators/cybersecurity.js.map +1 -1
package/dist/evaluators/data-security.d.ts +1 -1
package/dist/evaluators/data-security.d.ts.map +1 -1
package/dist/evaluators/data-security.js +9 -66
package/dist/evaluators/data-security.js.map +1 -1
package/dist/evaluators/data-sovereignty.d.ts +1 -1
package/dist/evaluators/data-sovereignty.d.ts.map +1 -1
package/dist/evaluators/data-sovereignty.js +4 -2
package/dist/evaluators/data-sovereignty.js.map +1 -1
package/dist/evaluators/database.d.ts +1 -1
package/dist/evaluators/database.d.ts.map +1 -1
package/dist/evaluators/database.js +3 -1
package/dist/evaluators/database.js.map +1 -1
package/dist/evaluators/dependencies.d.ts +6 -0
package/dist/evaluators/dependencies.d.ts.map +1 -0
package/dist/evaluators/dependencies.js +204 -0
package/dist/evaluators/dependencies.js.map +1 -0
package/dist/evaluators/dependency-health.d.ts +1 -1
package/dist/evaluators/dependency-health.d.ts.map +1 -1
package/dist/evaluators/dependency-health.js +198 -6
package/dist/evaluators/dependency-health.js.map +1 -1
package/dist/evaluators/documentation.d.ts +1 -1
package/dist/evaluators/documentation.d.ts.map +1 -1
package/dist/evaluators/documentation.js +5 -2
package/dist/evaluators/documentation.js.map +1 -1
package/dist/evaluators/error-handling.d.ts +1 -1
package/dist/evaluators/error-handling.d.ts.map +1 -1
package/dist/evaluators/error-handling.js.map +1 -1
package/dist/evaluators/ethics-bias.d.ts +1 -1
package/dist/evaluators/ethics-bias.d.ts.map +1 -1
package/dist/evaluators/ethics-bias.js +10 -5
package/dist/evaluators/ethics-bias.js.map +1 -1
package/dist/evaluators/framework-safety.d.ts +13 -0
package/dist/evaluators/framework-safety.d.ts.map +1 -0
package/dist/evaluators/framework-safety.js +424 -0
package/dist/evaluators/framework-safety.js.map +1 -0
package/dist/evaluators/index.d.ts +20 -24
package/dist/evaluators/index.d.ts.map +1 -1
package/dist/evaluators/index.js +294 -728
package/dist/evaluators/index.js.map +1 -1
package/dist/evaluators/internationalization.d.ts +1 -1
package/dist/evaluators/internationalization.d.ts.map +1 -1
package/dist/evaluators/internationalization.js +14 -6
package/dist/evaluators/internationalization.js.map +1 -1
package/dist/evaluators/logging-privacy.d.ts +1 -1
package/dist/evaluators/logging-privacy.d.ts.map +1 -1
package/dist/evaluators/logging-privacy.js +3 -1
package/dist/evaluators/logging-privacy.js.map +1 -1
package/dist/evaluators/maintainability.d.ts +1 -1
package/dist/evaluators/maintainability.d.ts.map +1 -1
package/dist/evaluators/maintainability.js +15 -9
package/dist/evaluators/maintainability.js.map +1 -1
package/dist/evaluators/observability.d.ts +1 -1
package/dist/evaluators/observability.d.ts.map +1 -1
package/dist/evaluators/observability.js +2 -1
package/dist/evaluators/observability.js.map +1 -1
package/dist/evaluators/performance.d.ts +1 -1
package/dist/evaluators/performance.d.ts.map +1 -1
package/dist/evaluators/performance.js +181 -4
package/dist/evaluators/performance.js.map +1 -1
package/dist/evaluators/portability.d.ts +1 -1
package/dist/evaluators/portability.d.ts.map +1 -1
package/dist/evaluators/portability.js +2 -1
package/dist/evaluators/portability.js.map +1 -1
package/dist/evaluators/project.d.ts +16 -0
package/dist/evaluators/project.d.ts.map +1 -0
package/dist/evaluators/project.js +353 -0
package/dist/evaluators/project.js.map +1 -0
package/dist/evaluators/rate-limiting.d.ts +1 -1
package/dist/evaluators/rate-limiting.d.ts.map +1 -1
package/dist/evaluators/rate-limiting.js.map +1 -1
package/dist/evaluators/reliability.d.ts +1 -1
package/dist/evaluators/reliability.d.ts.map +1 -1
package/dist/evaluators/reliability.js.map +1 -1
package/dist/evaluators/scalability.d.ts +1 -1
package/dist/evaluators/scalability.d.ts.map +1 -1
package/dist/evaluators/scalability.js +3 -1
package/dist/evaluators/scalability.js.map +1 -1
package/dist/evaluators/shared.d.ts +24 -2
package/dist/evaluators/shared.d.ts.map +1 -1
package/dist/evaluators/shared.js +190 -2
package/dist/evaluators/shared.js.map +1 -1
package/dist/evaluators/software-practices.d.ts +1 -1
package/dist/evaluators/software-practices.d.ts.map +1 -1
package/dist/evaluators/software-practices.js +3 -3
package/dist/evaluators/software-practices.js.map +1 -1
package/dist/evaluators/testing.d.ts +1 -1
package/dist/evaluators/testing.d.ts.map +1 -1
package/dist/evaluators/testing.js +12 -4
package/dist/evaluators/testing.js.map +1 -1
package/dist/evaluators/ux.d.ts +1 -1
package/dist/evaluators/ux.d.ts.map +1 -1
package/dist/evaluators/ux.js.map +1 -1
package/dist/evaluators/v2.d.ts +1 -1
package/dist/evaluators/v2.d.ts.map +1 -1
package/dist/evaluators/v2.js +13 -35
package/dist/evaluators/v2.js.map +1 -1
package/dist/formatters/sarif.d.ts +75 -0
package/dist/formatters/sarif.d.ts.map +1 -0
package/dist/formatters/sarif.js +93 -0
package/dist/formatters/sarif.js.map +1 -0
package/dist/index.d.ts +4 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +9 -806
package/dist/index.js.map +1 -1
package/dist/judges/accessibility.d.ts +1 -1
package/dist/judges/accessibility.d.ts.map +1 -1
package/dist/judges/agent-instructions.d.ts +1 -1
package/dist/judges/agent-instructions.d.ts.map +1 -1
package/dist/judges/ai-code-safety.d.ts +1 -1
package/dist/judges/ai-code-safety.d.ts.map +1 -1
package/dist/judges/api-design.d.ts +1 -1
package/dist/judges/api-design.d.ts.map +1 -1
package/dist/judges/authentication.d.ts +1 -1
package/dist/judges/authentication.d.ts.map +1 -1
package/dist/judges/backwards-compatibility.d.ts +1 -1
package/dist/judges/backwards-compatibility.d.ts.map +1 -1
package/dist/judges/caching.d.ts +1 -1
package/dist/judges/caching.d.ts.map +1 -1
package/dist/judges/ci-cd.d.ts +1 -1
package/dist/judges/ci-cd.d.ts.map +1 -1
package/dist/judges/cloud-readiness.d.ts +1 -1
package/dist/judges/cloud-readiness.d.ts.map +1 -1
package/dist/judges/code-structure.d.ts +1 -1
package/dist/judges/code-structure.d.ts.map +1 -1
package/dist/judges/code-structure.js +7 -1
package/dist/judges/code-structure.js.map +1 -1
package/dist/judges/compliance.d.ts +1 -1
package/dist/judges/compliance.d.ts.map +1 -1
package/dist/judges/concurrency.d.ts +1 -1
package/dist/judges/concurrency.d.ts.map +1 -1
package/dist/judges/configuration-management.d.ts +1 -1
package/dist/judges/configuration-management.d.ts.map +1 -1
package/dist/judges/cost-effectiveness.d.ts +1 -1
package/dist/judges/cost-effectiveness.d.ts.map +1 -1
package/dist/judges/cybersecurity.d.ts +1 -1
package/dist/judges/cybersecurity.d.ts.map +1 -1
package/dist/judges/data-security.d.ts +1 -1
package/dist/judges/data-security.d.ts.map +1 -1
package/dist/judges/data-sovereignty.d.ts +1 -1
package/dist/judges/data-sovereignty.d.ts.map +1 -1
package/dist/judges/database.d.ts +1 -1
package/dist/judges/database.d.ts.map +1 -1
package/dist/judges/dependency-health.d.ts +1 -1
package/dist/judges/dependency-health.d.ts.map +1 -1
package/dist/judges/documentation.d.ts +1 -1
package/dist/judges/documentation.d.ts.map +1 -1
package/dist/judges/error-handling.d.ts +1 -1
package/dist/judges/error-handling.d.ts.map +1 -1
package/dist/judges/ethics-bias.d.ts +1 -1
package/dist/judges/ethics-bias.d.ts.map +1 -1
package/dist/judges/framework-safety.d.ts +3 -0
package/dist/judges/framework-safety.d.ts.map +1 -0
package/dist/judges/framework-safety.js +31 -0
package/dist/judges/framework-safety.js.map +1 -0
package/dist/judges/index.d.ts +1 -1
package/dist/judges/index.d.ts.map +1 -1
package/dist/judges/index.js +74 -0
package/dist/judges/index.js.map +1 -1
package/dist/judges/internationalization.d.ts +1 -1
package/dist/judges/internationalization.d.ts.map +1 -1
package/dist/judges/logging-privacy.d.ts +1 -1
package/dist/judges/logging-privacy.d.ts.map +1 -1
package/dist/judges/maintainability.d.ts +1 -1
package/dist/judges/maintainability.d.ts.map +1 -1
package/dist/judges/observability.d.ts +1 -1
package/dist/judges/observability.d.ts.map +1 -1
package/dist/judges/performance.d.ts +1 -1
package/dist/judges/performance.d.ts.map +1 -1
package/dist/judges/portability.d.ts +1 -1
package/dist/judges/portability.d.ts.map +1 -1
package/dist/judges/rate-limiting.d.ts +1 -1
package/dist/judges/rate-limiting.d.ts.map +1 -1
package/dist/judges/reliability.d.ts +1 -1
package/dist/judges/reliability.d.ts.map +1 -1
package/dist/judges/scalability.d.ts +1 -1
package/dist/judges/scalability.d.ts.map +1 -1
package/dist/judges/software-practices.d.ts +1 -1
package/dist/judges/software-practices.d.ts.map +1 -1
package/dist/judges/testing.d.ts +1 -1
package/dist/judges/testing.d.ts.map +1 -1
package/dist/judges/ux.d.ts +1 -1
package/dist/judges/ux.d.ts.map +1 -1
package/dist/language-patterns.d.ts +37 -0
package/dist/language-patterns.d.ts.map +1 -1
package/dist/language-patterns.js +58 -3
package/dist/language-patterns.js.map +1 -1
package/dist/patches/index.d.ts +10 -0
package/dist/patches/index.d.ts.map +1 -0
package/dist/patches/index.js +533 -0
package/dist/patches/index.js.map +1 -0
package/dist/reports/public-repo-report.d.ts +1 -1
package/dist/reports/public-repo-report.d.ts.map +1 -1
package/dist/scoring.d.ts +18 -0
package/dist/scoring.d.ts.map +1 -0
package/dist/scoring.js +178 -0
package/dist/scoring.js.map +1 -0
package/dist/tools/deep-review.d.ts +4 -0
package/dist/tools/deep-review.d.ts.map +1 -0
package/dist/tools/deep-review.js +56 -0
package/dist/tools/deep-review.js.map +1 -0
package/dist/tools/prompts.d.ts +8 -0
package/dist/tools/prompts.d.ts.map +1 -0
package/dist/tools/prompts.js +66 -0
package/dist/tools/prompts.js.map +1 -0
package/dist/tools/register-evaluation.d.ts +7 -0
package/dist/tools/register-evaluation.d.ts.map +1 -0
package/dist/tools/register-evaluation.js +303 -0
package/dist/tools/register-evaluation.js.map +1 -0
package/dist/tools/register-workflow.d.ts +7 -0
package/dist/tools/register-workflow.d.ts.map +1 -0
package/dist/tools/register-workflow.js +395 -0
package/dist/tools/register-workflow.js.map +1 -0
package/dist/tools/register.d.ts +7 -0
package/dist/tools/register.d.ts.map +1 -0
package/dist/tools/register.js +14 -0
package/dist/tools/register.js.map +1 -0
package/dist/tools/schemas.d.ts +26 -0
package/dist/tools/schemas.d.ts.map +1 -0
package/dist/tools/schemas.js +42 -0
package/dist/tools/schemas.js.map +1 -0
package/dist/types.d.ts +29 -2
package/dist/types.d.ts.map +1 -1
package/package.json +42 -3
package/server.json +51 -3

package/dist/evaluators/index.js CHANGED Viewed

@@ -2,415 +2,343 @@
 // Re-exports the evaluation engine: analyser routing, scoring, formatting.
 // ──────────────────────────────────────────────────────────────────────────────
 import { JUDGES } from "../judges/index.js";
+import { analyzeStructure } from "../ast/index.js";
+import { analyzeTaintFlows } from "../ast/index.js";
 // ─── Shared Utilities ────────────────────────────────────────────────────────
-import { calculateScore, deriveVerdict, buildSummary, buildTribunalSummary, formatVerdictAsMarkdown, formatEvaluationAsMarkdown, } from "./shared.js";
-// ─── Individual Analyzers ────────────────────────────────────────────────────
-import { analyzeDataSecurity } from "./data-security.js";
-import { analyzeCybersecurity } from "./cybersecurity.js";
-import { analyzeCostEffectiveness } from "./cost-effectiveness.js";
-import { analyzeScalability } from "./scalability.js";
-import { analyzeCloudReadiness } from "./cloud-readiness.js";
-import { analyzeSoftwarePractices } from "./software-practices.js";
-import { analyzeAccessibility } from "./accessibility.js";
-import { analyzeApiDesign } from "./api-design.js";
-import { analyzeReliability } from "./reliability.js";
-import { analyzeObservability } from "./observability.js";
-import { analyzePerformance } from "./performance.js";
-import { analyzeCompliance } from "./compliance.js";
-import { analyzeDataSovereignty } from "./data-sovereignty.js";
-import { analyzeTesting } from "./testing.js";
-import { analyzeDocumentation } from "./documentation.js";
-import { analyzeInternationalization } from "./internationalization.js";
-import { analyzeDependencyHealth } from "./dependency-health.js";
-import { analyzeConcurrency } from "./concurrency.js";
-import { analyzeEthicsBias } from "./ethics-bias.js";
-import { analyzeMaintainability } from "./maintainability.js";
-import { analyzeErrorHandling } from "./error-handling.js";
-import { analyzeAuthentication } from "./authentication.js";
-import { analyzeDatabase } from "./database.js";
-import { analyzeCaching } from "./caching.js";
-import { analyzeConfigurationManagement } from "./configuration-management.js";
-import { analyzeBackwardsCompatibility } from "./backwards-compatibility.js";
-import { analyzePortability } from "./portability.js";
-import { analyzeUx } from "./ux.js";
-import { analyzeLoggingPrivacy } from "./logging-privacy.js";
-import { analyzeRateLimiting } from "./rate-limiting.js";
-import { analyzeCiCd } from "./ci-cd.js";
-import { analyzeCodeStructure } from "./code-structure.js";
-import { analyzeAgentInstructions } from "./agent-instructions.js";
-import { analyzeAiCodeSafety } from "./ai-code-safety.js";
-const DEFAULT_MUST_FIX_PREFIXES = [
-    "AUTH-",
-    "CYBER-",
-    "DATA-",
-    "ERR-",
-    "REL-",
-    "RATE-",
-    "DB-",
-    "COMP-",
-    "LOGPRIV-",
-    "AICS-",
-];
-function evaluateMustFixGate(findings, options) {
-    if (!options?.enabled) {
-        return undefined;
+import { calculateScore, deriveVerdict, buildSummary, buildTribunalSummary, formatVerdictAsMarkdown, formatEvaluationAsMarkdown, classifyFile, shouldRunAbsenceRules, applyConfig, } from "./shared.js";
+// ─── Extracted Modules ───────────────────────────────────────────────────────
+import { evaluateMustFixGate, clampConfidence, applyConfidenceThreshold, isAbsenceBasedFinding, } from "../scoring.js";
+import { enrichWithPatches } from "../patches/index.js";
+import { crossEvaluatorDedup } from "../dedup.js";
+// ── AST-aware post-processing ───────────────────────────────────────────────
+/**
+ * Known sanitization/security library names. When one is imported, related
+ * findings can have confidence reduced because the developer has taken steps
+ * to mitigate the issue.
+ */
+const SECURITY_IMPORTS = {
+    xss: ["dompurify", "sanitize-html", "xss", "isomorphic-dompurify", "xss-filters"],
+    headers: ["helmet", "secure-headers", "django-security"],
+    rateLimit: ["express-rate-limit", "rate-limiter-flexible", "bottleneck", "limiter", "rate-limit"],
+    validation: ["joi", "zod", "yup", "ajv", "class-validator", "express-validator"],
+    csrf: ["csurf", "csrf", "csrf-csrf"],
+    crypto: ["bcrypt", "argon2", "scrypt"],
+    jwt: ["jsonwebtoken", "jose", "passport-jwt"],
+};
+/**
+ * Returns the containing function for a given line number, if any.
+ */
+function getContainingFunction(line, structure) {
+    return structure.functions.find((f) => line >= f.startLine && line <= f.endLine);
+}
+const TEST_FUNCTION_PATTERN = /^(?:test|it|describe|beforeEach|afterEach|beforeAll|afterAll|setUp|tearDown|test_|spec_)/i;
+// ─── Taint Flow → Finding Matching ───────────────────────────────────────────
+/** Map taint-sink kinds to finding title/ruleId patterns they confirm */
+const TAINT_SINK_TO_FINDING = {
+    "code-execution": /eval|code.?inject|code.?exec|dynamic.?code/i,
+    "command-exec": /command.?inject|os.?command|shell.?inject|exec/i,
+    "sql-query": /sql.?inject|query.?inject|unsanitized.?query/i,
+    xss: /xss|cross.?site\s*script|innerhtml|html.?inject/i,
+    "path-traversal": /path.?travers|directory.?travers|file.?inclu/i,
+    redirect: /open.?redirect|unvalidated.?redirect/i,
+    deserialization: /deseri|unsafe.?parse|untrusted.?data.?parse/i,
+    template: /template.?inject|ssti/i,
+};
+/**
+ * Apply AST-aware refinements to findings:
+ * - Remove findings on dead code lines
+ * - Lower confidence for findings inside test-like functions
+ * - Adjust confidence based on imported security libraries
+ * - Boost/annotate findings confirmed by taint flow analysis
+ */
+function applyAstRefinements(findings, structure, taintFlows) {
+    const deadSet = new Set(structure.deadCodeLines);
+    const importNames = new Set(structure.imports
+        .map((i) => {
+        // Extract package name from path: "@scope/pkg" → "@scope/pkg", "helmet" → "helmet"
+        const parts = i.split("/");
+        return i.startsWith("@") ? parts.slice(0, 2).join("/") : parts[0];
+    })
+        .map((n) => n.toLowerCase()));
+    // Determine which security categories have mitigations imported
+    const mitigatedCategories = new Set();
+    for (const [category, libs] of Object.entries(SECURITY_IMPORTS)) {
+        if (libs.some((lib) => importNames.has(lib))) {
+            mitigatedCategories.add(category);
+        }
     }
-    const minConfidence = clampConfidence(options.minConfidence ?? 0.85);
-    const prefixes = options.dangerousRulePrefixes?.length
-        ? options.dangerousRulePrefixes
-        : DEFAULT_MUST_FIX_PREFIXES;
-    const dangerSignal = /(injection|command\s*execution|sql|xss|ssrf|deseriali[sz]ation|auth(?:entication|orization)?\s*bypass|hardcoded\s+(?:secret|credential|password|token)|unsafe\s+eval|\beval\(|\bexec\()/i;
-    const matched = findings.filter((finding) => {
-        const severityMatch = finding.severity === "critical" || finding.severity === "high";
-        if (!severityMatch)
-            return false;
-        const confidence = finding.confidence ?? 0;
-        if (confidence < minConfidence)
+    // Build a map of sink lines → taint flows for fast lookup
+    const flowsBySinkLine = new Map();
+    if (taintFlows) {
+        for (const flow of taintFlows) {
+            const existing = flowsBySinkLine.get(flow.sink.line) ?? [];
+            existing.push(flow);
+            flowsBySinkLine.set(flow.sink.line, existing);
+        }
+    }
+    return findings
+        .filter((f) => {
+        // Remove findings where ALL referenced lines are dead code
+        if (f.lineNumbers && f.lineNumbers.length > 0 && f.lineNumbers.every((l) => deadSet.has(l))) {
             return false;
-        const prefixMatch = prefixes.some((prefix) => finding.ruleId.startsWith(prefix));
-        const contentMatch = dangerSignal.test(`${finding.title} ${finding.description} ${finding.recommendation}`);
-        return prefixMatch || contentMatch;
+        }
+        return true;
+    })
+        .map((f) => {
+        let confidenceAdj = 0;
+        let descriptionSuffix = "";
+        // Lower confidence for findings inside test-like functions
+        if (f.lineNumbers && f.lineNumbers.length > 0) {
+            const primaryLine = f.lineNumbers[0];
+            const fn = getContainingFunction(primaryLine, structure);
+            if (fn && TEST_FUNCTION_PATTERN.test(fn.name)) {
+                confidenceAdj -= 0.15;
+            }
+        }
+        // Adjust confidence based on security library imports
+        const title = f.title.toLowerCase();
+        if (mitigatedCategories.has("xss") && /xss|innerhtml|cross.?site\s*script/i.test(title)) {
+            confidenceAdj -= 0.2;
+        }
+        if (mitigatedCategories.has("headers") && /security\s*header|helmet/i.test(title)) {
+            confidenceAdj -= 0.25;
+        }
+        if (mitigatedCategories.has("rateLimit") && /rate\s*limit|throttl/i.test(title)) {
+            confidenceAdj -= 0.2;
+        }
+        if (mitigatedCategories.has("validation") && /input\s*valid|sanitiz|unsanitized/i.test(title)) {
+            confidenceAdj -= 0.15;
+        }
+        if (mitigatedCategories.has("csrf") && /csrf|cross.?site\s*request/i.test(title)) {
+            confidenceAdj -= 0.25;
+        }
+        // ── Taint flow confirmation ────────────────────────────────────────
+        if (taintFlows && taintFlows.length > 0 && f.lineNumbers && f.lineNumbers.length > 0) {
+            const matchingFlows = findMatchingTaintFlows(f, flowsBySinkLine);
+            if (matchingFlows.length > 0) {
+                // Confirmed: user input reaches this sink → boost confidence
+                confidenceAdj += 0.2;
+                const flow = matchingFlows[0];
+                const via = flow.intermediates.length > 0 ? ` via ${flow.intermediates.map((i) => i.variable).join(" → ")}` : "";
+                descriptionSuffix = `\n\n**Confirmed data flow**: \`${flow.source.expression}\` (line ${flow.source.line})${via} → sink at line ${flow.sink.line}`;
+            }
+        }
+        if (confidenceAdj !== 0 || descriptionSuffix) {
+            const currentConf = f.confidence ?? 0.5;
+            return {
+                ...f,
+                confidence: clampConfidence(currentConf + confidenceAdj),
+                ...(descriptionSuffix ? { description: (f.description ?? "") + descriptionSuffix } : {}),
+            };
+        }
+        return f;
     });
-    const matchedRuleIds = [...new Set(matched.map((finding) => finding.ruleId))];
-    const triggered = matched.length > 0;
-    return {
-        enabled: true,
-        triggered,
-        minConfidence,
-        matchedCount: matched.length,
-        matchedRuleIds,
-        summary: triggered
-            ? `Must-fix gate triggered by ${matched.length} high-confidence dangerous finding(s).`
-            : "Must-fix gate passed with no high-confidence dangerous findings.",
-    };
-}
-function clampConfidence(value) {
-    if (!Number.isFinite(value))
-        return 0;
-    return Math.max(0, Math.min(1, value));
 }
-function estimateFindingConfidence(finding) {
-    const existing = typeof finding.confidence === "number" ? finding.confidence : undefined;
-    if (typeof existing === "number" && Number.isFinite(existing)) {
-        return clampConfidence(existing);
-    }
-    let score = 0.4;
-    const lineCount = finding.lineNumbers?.length ?? 0;
-    if (lineCount === 0) {
-        score -= 0.12;
-    }
-    else if (lineCount <= 3) {
-        score += 0.22;
-    }
-    else if (lineCount <= 8) {
-        score += 0.14;
-    }
-    else {
-        score += 0.06;
-    }
-    const hasReference = Boolean(finding.reference);
-    const hasSuggestedFix = Boolean(finding.suggestedFix);
-    const hasRichDescription = finding.description.length >= 120;
-    const hasRichRecommendation = finding.recommendation.length >= 90;
-    if (hasReference)
-        score += 0.1;
-    if (hasSuggestedFix)
-        score += 0.12;
-    if (hasRichDescription)
-        score += 0.05;
-    if (hasRichRecommendation)
-        score += 0.05;
-    const richEvidenceCount = [
-        hasReference,
-        hasSuggestedFix,
-        hasRichDescription,
-        hasRichRecommendation,
-    ].filter(Boolean).length;
-    if (lineCount > 0 && richEvidenceCount >= 3) {
-        score += 0.08;
-    }
-    if (lineCount > 0 && richEvidenceCount === 4) {
-        score += 0.05;
-    }
-    const noisyPrefixes = [
-        "API-",
-        "COMP-",
-        "CONC-",
-        "CYBER-",
-        "DB-",
-        "DEPS-",
-        "ETHICS-",
-        "LOGPRIV-",
-        "OBS-",
-        "PERF-",
-    ];
-    if (noisyPrefixes.some((prefix) => finding.ruleId.startsWith(prefix)) && richEvidenceCount < 4) {
-        score = Math.min(score, 0.89);
+/**
+ * Find taint flows that confirm a given finding.
+ * Matches by checking if any of the finding's referenced lines correspond to
+ * a taint sink and the sink kind matches the finding's topic.
+ */
+function findMatchingTaintFlows(finding, flowsBySinkLine) {
+    if (!finding.lineNumbers || finding.lineNumbers.length === 0)
+        return [];
+    const title = (finding.title + " " + (finding.ruleId ?? "")).toLowerCase();
+    const matched = [];
+    for (const line of finding.lineNumbers) {
+        const flows = flowsBySinkLine.get(line);
+        if (!flows)
+            continue;
+        for (const flow of flows) {
+            const pattern = TAINT_SINK_TO_FINDING[flow.sink.kind];
+            if (pattern && pattern.test(title)) {
+                matched.push(flow);
+            }
+        }
     }
-    return Number(clampConfidence(score).toFixed(2));
+    return matched;
 }
-function applyConfidenceThreshold(findings, options) {
-    const minConfidence = clampConfidence(options?.minConfidence ?? 0);
-    const normalized = findings.map((finding) => ({
-        ...finding,
-        confidence: estimateFindingConfidence(finding),
-    }));
-    if (minConfidence <= 0) {
-        return normalized;
+// ── Inline suppression comment support ──────────────────────────────────────
+/**
+ * Scan source code for inline `// judges-ignore RULE-ID` or
+ * `// judges-ignore-next-line RULE-ID` comments. Returns a set of suppressed
+ * {ruleId, line} pairs and a set of globally suppressed rule IDs.
+ */
+function parseInlineSuppressions(code) {
+    const lines = code.split("\n");
+    const lineSuppressed = new Map();
+    const globalSuppressed = new Set();
+    // Pattern: // judges-ignore RULE-ID [, RULE-ID ...]
+    //          // judges-ignore-next-line RULE-ID [, RULE-ID ...]
+    //          # judges-ignore RULE-ID  (Python, YAML, etc.)
+    const suppressPattern = /(?:\/\/|#|\/\*)\s*judges-ignore(?:-next-line)?\s+([\w*,\s-]+)/gi;
+    const isNextLine = /judges-ignore-next-line/i;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        let match;
+        suppressPattern.lastIndex = 0;
+        while ((match = suppressPattern.exec(line)) !== null) {
+            const ruleIds = match[1].split(/[,\s]+/).filter(Boolean);
+            const targetLine = isNextLine.test(match[0]) ? i + 2 : i + 1; // 1-indexed
+            for (const ruleId of ruleIds) {
+                if (ruleId === "*") {
+                    // Wildcard: suppress all rules on this line
+                    const set = lineSuppressed.get(targetLine) ?? new Set();
+                    set.add("*");
+                    lineSuppressed.set(targetLine, set);
+                }
+                else {
+                    const set = lineSuppressed.get(targetLine) ?? new Set();
+                    set.add(ruleId.toUpperCase());
+                    lineSuppressed.set(targetLine, set);
+                }
+            }
+        }
+        // File-level suppression: // judges-file-ignore RULE-ID
+        const filePattern = /(?:\/\/|#|\/\*)\s*judges-file-ignore\s+([\w*,\s-]+)/gi;
+        let fileMatch;
+        filePattern.lastIndex = 0;
+        while ((fileMatch = filePattern.exec(line)) !== null) {
+            const ruleIds = fileMatch[1].split(/[,\s]+/).filter(Boolean);
+            for (const ruleId of ruleIds) {
+                globalSuppressed.add(ruleId === "*" ? "*" : ruleId.toUpperCase());
+            }
+        }
     }
-    return normalized.filter((finding) => (finding.confidence ?? 0) >= minConfidence);
+    return { lineSuppressed, globalSuppressed };
+}
+/**
+ * Filter findings based on inline suppression comments in the source code.
+ */
+export function applyInlineSuppressions(findings, code) {
+    const { lineSuppressed, globalSuppressed } = parseInlineSuppressions(code);
+    if (lineSuppressed.size === 0 && globalSuppressed.size === 0) {
+        return findings;
+    }
+    return findings.filter((f) => {
+        const ruleUpper = f.ruleId.toUpperCase();
+        // Check file-level suppression
+        if (globalSuppressed.has("*") || globalSuppressed.has(ruleUpper)) {
+            return false;
+        }
+        // Check prefix wildcards: "AUTH-*" suppresses "AUTH-001"
+        for (const suppressed of globalSuppressed) {
+            if (suppressed.endsWith("-*") && ruleUpper.startsWith(suppressed.slice(0, -1))) {
+                return false;
+            }
+        }
+        // Check line-level suppressions
+        if (f.lineNumbers && f.lineNumbers.length > 0) {
+            for (const lineNum of f.lineNumbers) {
+                const suppressed = lineSuppressed.get(lineNum);
+                if (suppressed) {
+                    if (suppressed.has("*") || suppressed.has(ruleUpper)) {
+                        return false;
+                    }
+                    for (const s of suppressed) {
+                        if (s.endsWith("-*") && ruleUpper.startsWith(s.slice(0, -1))) {
+                            return false;
+                        }
+                    }
+                }
+            }
+        }
+        return true;
+    });
 }
 function resolveJudgeSet(options) {
     const includeAstFindings = options?.includeAstFindings ?? true;
-    if (includeAstFindings) {
-        return JUDGES;
+    let judges = includeAstFindings ? JUDGES : JUDGES.filter((judge) => judge.id !== "code-structure");
+    // Apply config-based judge filtering
+    if (options?.config?.disabledJudges && options.config.disabledJudges.length > 0) {
+        const disabled = new Set(options.config.disabledJudges);
+        judges = judges.filter((j) => !disabled.has(j.id));
     }
-    return JUDGES.filter((judge) => judge.id !== "code-structure");
+    return judges;
 }
 /**
  * Run a single judge against the provided code.
  */
 export function evaluateWithJudge(judge, code, language, context, options) {
     const findings = [];
-    switch (judge.id) {
-        case "data-security":
-            findings.push(...analyzeDataSecurity(code, language));
-            break;
-        case "cybersecurity":
-            findings.push(...analyzeCybersecurity(code, language));
-            break;
-        case "cost-effectiveness":
-            findings.push(...analyzeCostEffectiveness(code, language));
-            break;
-        case "scalability":
-            findings.push(...analyzeScalability(code, language));
-            break;
-        case "cloud-readiness":
-            findings.push(...analyzeCloudReadiness(code, language));
-            break;
-        case "software-practices":
-            findings.push(...analyzeSoftwarePractices(code, language));
-            break;
-        case "accessibility":
-            findings.push(...analyzeAccessibility(code, language));
-            break;
-        case "api-design":
-            findings.push(...analyzeApiDesign(code, language));
-            break;
-        case "reliability":
-            findings.push(...analyzeReliability(code, language));
-            break;
-        case "observability":
-            findings.push(...analyzeObservability(code, language));
-            break;
-        case "performance":
-            findings.push(...analyzePerformance(code, language));
-            break;
-        case "compliance":
-            findings.push(...analyzeCompliance(code, language));
-            break;
-        case "data-sovereignty":
-            findings.push(...analyzeDataSovereignty(code, language));
-            break;
-        case "testing":
-            findings.push(...analyzeTesting(code, language));
-            break;
-        case "documentation":
-            findings.push(...analyzeDocumentation(code, language));
-            break;
-        case "internationalization":
-            findings.push(...analyzeInternationalization(code, language));
-            break;
-        case "dependency-health":
-            findings.push(...analyzeDependencyHealth(code, language));
-            break;
-        case "concurrency":
-            findings.push(...analyzeConcurrency(code, language));
-            break;
-        case "ethics-bias":
-            findings.push(...analyzeEthicsBias(code, language));
-            break;
-        case "maintainability":
-            findings.push(...analyzeMaintainability(code, language));
-            break;
-        case "error-handling":
-            findings.push(...analyzeErrorHandling(code, language));
-            break;
-        case "authentication":
-            findings.push(...analyzeAuthentication(code, language));
-            break;
-        case "database":
-            findings.push(...analyzeDatabase(code, language));
-            break;
-        case "caching":
-            findings.push(...analyzeCaching(code, language));
-            break;
-        case "configuration-management":
-            findings.push(...analyzeConfigurationManagement(code, language));
-            break;
-        case "backwards-compatibility":
-            findings.push(...analyzeBackwardsCompatibility(code, language));
-            break;
-        case "portability":
-            findings.push(...analyzePortability(code, language));
-            break;
-        case "ux":
-            findings.push(...analyzeUx(code, language));
-            break;
-        case "logging-privacy":
-            findings.push(...analyzeLoggingPrivacy(code, language));
-            break;
-        case "rate-limiting":
-            findings.push(...analyzeRateLimiting(code, language));
-            break;
-        case "ci-cd":
-            findings.push(...analyzeCiCd(code, language));
-            break;
-        case "code-structure":
-            findings.push(...analyzeCodeStructure(code, language));
-            break;
-        case "agent-instructions":
-            findings.push(...analyzeAgentInstructions(code, language));
-            break;
-        case "ai-code-safety":
-            findings.push(...analyzeAiCodeSafety(code, language));
-            break;
-    }
-    const filteredFindings = applyConfidenceThreshold(findings, options);
-    const score = calculateScore(filteredFindings);
-    const verdict = deriveVerdict(filteredFindings, score);
-    const summary = buildSummary(judge, filteredFindings, score, verdict);
+    // ── Registry-based dispatch: each judge carries its own analyze() method ──
+    if (judge.analyze) {
+        findings.push(...judge.analyze(code, language));
+    }
+    // ── File-type gating: suppress absence-based findings on non-server files ──
+    const fileCategory = classifyFile(code, language, options?.filePath);
+    const gatedFindings = shouldRunAbsenceRules(fileCategory)
+        ? findings
+        : findings.filter((f) => !isAbsenceBasedFinding(f));
+    // ── AST-aware refinements: dead code removal, scope context, import awareness, taint flows ──
+    const astStructure = options?._astCache;
+    const refinedFindings = astStructure
+        ? applyAstRefinements(gatedFindings, astStructure, options?._taintFlows)
+        : gatedFindings;
+    // ── Inline suppression: respect // judges-ignore RULE-ID comments ──
+    const unsuppressed = applyInlineSuppressions(refinedFindings, code);
+    // ── Auto-fix patches: attach machine-applicable patches where possible ──
+    const patchEnriched = enrichWithPatches(unsuppressed, code);
+    const filteredFindings = applyConfidenceThreshold(patchEnriched, options);
+    const configFiltered = applyConfig(filteredFindings, options?.config);
+    const score = calculateScore(configFiltered, code);
+    const verdict = deriveVerdict(configFiltered, score);
+    const summary = buildSummary(judge, configFiltered, score, verdict);
     return {
         judgeId: judge.id,
         judgeName: judge.name,
         verdict,
         score,
         summary,
-        findings: filteredFindings,
+        findings: configFiltered,
     };
 }
 /**
  * Run the full tribunal — all judges evaluate the code.
  */
 export function evaluateWithTribunal(code, language, context, options) {
-    const judges = resolveJudgeSet(options);
-    const evaluations = judges.map((judge) => evaluateWithJudge(judge, code, language, context, options));
+    // Compute AST once and share across all judges via options
+    const includeAst = options?.includeAstFindings ?? true;
+    const enrichedOptions = {
+        ...options,
+        ...(includeAst && !options?._astCache ? { _astCache: analyzeStructure(code, language) } : {}),
+        ...(!options?._taintFlows ? { _taintFlows: analyzeTaintFlows(code, language) } : {}),
+    };
+    const judges = resolveJudgeSet(enrichedOptions);
+    const evaluations = judges.map((judge) => evaluateWithJudge(judge, code, language, context, enrichedOptions));
     const overallScore = Math.round(evaluations.reduce((sum, e) => sum + e.score, 0) / evaluations.length);
     const overallVerdict = evaluations.some((e) => e.verdict === "fail")
         ? "fail"
         : evaluations.some((e) => e.verdict === "warning")
             ? "warning"
             : "pass";
-    const allFindings = evaluations.flatMap((e) => e.findings);
+    const rawFindings = evaluations.flatMap((e) => e.findings);
+    const dedupedFindings = crossEvaluatorDedup(rawFindings);
+    const allFindings = applyConfig(dedupedFindings, options?.config);
     const mustFixGate = evaluateMustFixGate(allFindings, options?.mustFixGate);
     const criticalCount = allFindings.filter((f) => f.severity === "critical").length;
     const highCount = allFindings.filter((f) => f.severity === "high").length;
     const effectiveVerdict = mustFixGate?.triggered ? "fail" : overallVerdict;
-    const summary = buildTribunalSummary(evaluations, effectiveVerdict, overallScore, criticalCount, highCount) + (mustFixGate
-        ? `\n\n## Must-Fix Gate\n\n- Status: **${mustFixGate.triggered ? "TRIGGERED" : "PASS"}**\n- Minimum confidence: **${Math.round(mustFixGate.minConfidence * 100)}%**\n- Matched findings: **${mustFixGate.matchedCount}**\n- Matched rule IDs: ${mustFixGate.matchedRuleIds.length > 0 ? mustFixGate.matchedRuleIds.map((id) => `\`${id}\``).join(", ") : "none"}\n`
-        : "");
+    const summary = buildTribunalSummary(evaluations, effectiveVerdict, overallScore, criticalCount, highCount) +
+        (mustFixGate
+            ? `\n\n## Must-Fix Gate\n\n- Status: **${mustFixGate.triggered ? "TRIGGERED" : "PASS"}**\n- Minimum confidence: **${Math.round(mustFixGate.minConfidence * 100)}%**\n- Matched findings: **${mustFixGate.matchedCount}**\n- Matched rule IDs: ${mustFixGate.matchedRuleIds.length > 0 ? mustFixGate.matchedRuleIds.map((id) => `\`${id}\``).join(", ") : "none"}\n`
+            : "");
     return {
         overallVerdict: effectiveVerdict,
         overallScore,
         summary,
         evaluations,
+        findings: allFindings,
         criticalCount,
         highCount,
         timestamp: new Date().toISOString(),
         mustFixGate,
     };
 }
-// ─── Project-level Multi-file Analysis ────────────────────────────────────────
-/**
- * Evaluate multiple files as a project. Runs the full tribunal on each file,
- * then detects cross-file architectural issues.
- */
+// ─── Project-level Multi-file Analysis (delegated to project.ts) ─────────────
+import { evaluateProject as _evaluateProject } from "./project.js";
 export function evaluateProject(files, context, options) {
-    // Per-file evaluations
-    const fileResults = files.map((f) => {
-        const verdict = evaluateWithTribunal(f.content, f.language, context, options);
-        return {
-            path: f.path,
-            language: f.language,
-            findings: verdict.evaluations.flatMap((e) => e.findings),
-            score: verdict.overallScore,
-        };
-    });
-    // Cross-file architectural findings
-    const architecturalFindings = [];
-    const allCode = files.map((f) => f.content).join("\n");
-    let archRule = 1;
-    // Check for duplicated logic across files
-    const functionDefs = new Map();
-    for (const f of files) {
-        const fns = f.content.match(/(?:function|def|fn|func)\s+(\w+)/g) ?? [];
-        for (const fn of fns) {
-            const name = fn.replace(/(?:function|def|fn|func)\s+/, "");
-            const paths = functionDefs.get(name) ?? [];
-            paths.push(f.path);
-            functionDefs.set(name, paths);
-        }
-    }
-    const duplicated = [...functionDefs.entries()].filter(([, paths]) => paths.length > 1);
-    if (duplicated.length > 0) {
-        architecturalFindings.push({
-            ruleId: `ARCH-${String(archRule++).padStart(3, "0")}`,
-            severity: "medium",
-            title: "Potentially duplicated function names across files",
-            description: `Functions with identical names found in multiple files: ${duplicated.slice(0, 5).map(([name, paths]) => `${name} (${paths.join(", ")})`).join("; ")}. This may indicate code duplication.`,
-            recommendation: "Extract shared logic into a common module and import it where needed.",
-        });
-    }
-    // Check for inconsistent error handling patterns
-    const errorPatterns = files.map((f) => ({
-        path: f.path,
-        hasTryCatch: /try\s*\{/.test(f.content),
-        hasResultType: /Result<|Result\(|Either/.test(f.content),
-        hasExceptions: /throw\s+new|raise\s+|panic!/.test(f.content),
-    }));
-    const distinctPatterns = new Set(errorPatterns.map((e) => [e.hasTryCatch, e.hasResultType, e.hasExceptions].toString()));
-    if (distinctPatterns.size > 1 && files.length > 2) {
-        architecturalFindings.push({
-            ruleId: `ARCH-${String(archRule++).padStart(3, "0")}`,
-            severity: "low",
-            title: "Inconsistent error handling patterns across files",
-            description: "Different files use different error handling approaches (try/catch vs Result types vs raw throws). This makes the codebase harder to reason about.",
-            recommendation: "Standardize on a single error handling strategy across the project.",
-        });
-    }
-    const filteredArchitecturalFindings = applyConfidenceThreshold(architecturalFindings, options);
-    // Check for circular-looking dependency indicators
-    const importMap = new Map();
-    for (const f of files) {
-        const imports = f.content.match(/(?:import|from|require)\s*[\s(]['"]\.{1,2}\/([^'"]+)['"]/g) ?? [];
-        importMap.set(f.path, imports.map((i) => i.replace(/.*['"]\.{1,2}\/([^'"]+)['"].*/, "$1")));
-    }
-    // Overall scores
-    const allFindings = fileResults.flatMap((f) => f.findings);
-    const crossFindings = [...allFindings, ...filteredArchitecturalFindings];
-    const overallScore = fileResults.length > 0
-        ? Math.round(fileResults.reduce((sum, f) => sum + f.score, 0) /
-            fileResults.length)
-        : 100;
-    const criticalCount = crossFindings.filter((f) => f.severity === "critical").length;
-    const highCount = crossFindings.filter((f) => f.severity === "high").length;
-    const overallVerdict = criticalCount > 0 || overallScore < 60
-        ? "fail"
-        : highCount > 0 || overallScore < 80
-            ? "warning"
-            : "pass";
-    const summary = `Project analysis: ${files.length} files, ${crossFindings.length} findings, score ${overallScore}/100 — ${overallVerdict.toUpperCase()}`;
-    return {
-        overallVerdict,
-        overallScore,
-        summary,
-        evaluations: [],
-        criticalCount,
-        highCount,
-        timestamp: new Date().toISOString(),
-        fileResults,
-        architecturalFindings: filteredArchitecturalFindings,
-    };
+    const runner = { evaluateWithTribunal };
+    return _evaluateProject(runner, files, context, options);
 }
 // ─── Diff-based Incremental Analysis ──────────────────────────────────────────
 /**
@@ -419,7 +347,7 @@ export function evaluateProject(files, context, options) {
  */
 export function evaluateDiff(code, language, changedLines, context, options) {
     const verdict = evaluateWithTribunal(code, language, context, options);
-    const allFindings = verdict.evaluations.flatMap((e) => e.findings);
+    const allFindings = verdict.findings;
     // Filter findings to only those touching changed lines
     const changedSet = new Set(changedLines);
     const diffFindings = allFindings.filter((f) => {
@@ -427,7 +355,7 @@ export function evaluateDiff(code, language, changedLines, context, options) {
             return false;
         return f.lineNumbers.some((ln) => changedSet.has(ln));
     });
-    const score = calculateScore(diffFindings);
+    const score = calculateScore(diffFindings, code);
     const diffVerdict = deriveVerdict(diffFindings, score);
     return {
         linesAnalyzed: changedLines.length,
@@ -437,378 +365,16 @@ export function evaluateDiff(code, language, changedLines, context, options) {
         summary: `Diff analysis: ${changedLines.length} changed lines, ${diffFindings.length} findings in changed code, score ${score}/100 — ${diffVerdict.toUpperCase()}`,
     };
 }
-// ─── Dependency / Supply-chain Analysis ───────────────────────────────────────
-/**
- * Parse a manifest file and analyze dependencies for supply-chain risks.
- */
-export function analyzeDependencies(manifest, manifestType) {
-    const dependencies = [];
-    const findings = [];
-    let ruleNum = 1;
-    const prefix = "SUPPLY";
-    // Parse manifest based on type
-    if (manifestType === "package.json") {
-        try {
-            const pkg = JSON.parse(manifest);
-            for (const [name, version] of Object.entries(pkg.dependencies ?? {})) {
-                dependencies.push({
-                    name,
-                    version: String(version),
-                    isDev: false,
-                    source: manifestType,
-                });
-            }
-            for (const [name, version] of Object.entries(pkg.devDependencies ?? {})) {
-                dependencies.push({
-                    name,
-                    version: String(version),
-                    isDev: true,
-                    source: manifestType,
-                });
-            }
-        }
-        catch {
-            findings.push({
-                ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
-                severity: "high",
-                title: "Invalid package.json",
-                description: "Failed to parse package.json. The file may be malformed.",
-                recommendation: "Validate and fix the JSON structure.",
-            });
-        }
-    }
-    else if (manifestType === "requirements.txt") {
-        for (const line of manifest.split("\n")) {
-            const trimmed = line.trim();
-            if (!trimmed || trimmed.startsWith("#"))
-                continue;
-            const match = trimmed.match(/^([a-zA-Z0-9_-]+)\s*(?:[>=<~!]+\s*(.+))?$/);
-            if (match) {
-                dependencies.push({
-                    name: match[1],
-                    version: match[2] ?? "*",
-                    isDev: false,
-                    source: manifestType,
-                });
-            }
-        }
-    }
-    else if (manifestType === "Cargo.toml") {
-        // Match [dependencies] section up to the next [section] header or EOF
-        const depSection = manifest.match(/\[dependencies\]\s*\n([\s\S]*?)(?=\n\s*\[|\s*$)/)?.[1];
-        if (depSection) {
-            for (const line of depSection.split("\n")) {
-                // Simple: name = "version"
-                const simple = line.match(/^(\w[\w-]*)\s*=\s*"([^"]+)"/);
-                if (simple) {
-                    dependencies.push({
-                        name: simple[1],
-                        version: simple[2],
-                        isDev: false,
-                        source: manifestType,
-                    });
-                    continue;
-                }
-                // Inline table: name = { version = "...", ... }
-                const table = line.match(/^(\w[\w-]*)\s*=\s*\{[^}]*version\s*=\s*"([^"]+)"/);
-                if (table) {
-                    dependencies.push({
-                        name: table[1],
-                        version: table[2],
-                        isDev: false,
-                        source: manifestType,
-                    });
-                }
-            }
-        }
-    }
-    else if (manifestType === "go.mod") {
-        for (const line of manifest.split("\n")) {
-            const match = line
-                .trim()
-                .match(/^([\w./\-@]+)\s+(v[\d.]+(?:-[\w.]+)?)/);
-            if (match) {
-                dependencies.push({
-                    name: match[1],
-                    version: match[2],
-                    isDev: false,
-                    source: manifestType,
-                });
-            }
-        }
-    }
-    else if (manifestType === "pom.xml") {
-        const depRegex = /<dependency>[\s\S]*?<groupId>([^<]+)<\/groupId>[\s\S]*?<artifactId>([^<]+)<\/artifactId>[\s\S]*?(?:<version>([^<]*)<\/version>)?[\s\S]*?<\/dependency>/g;
-        let m;
-        while ((m = depRegex.exec(manifest)) !== null) {
-            dependencies.push({
-                name: `${m[1]}:${m[2]}`,
-                version: m[3] ?? "managed",
-                isDev: false,
-                source: manifestType,
-            });
-        }
-    }
-    else if (manifestType === "csproj") {
-        const pkgRegex = /<PackageReference\s+Include="([^"]+)"\s+Version="([^"]*)"/g;
-        let m;
-        while ((m = pkgRegex.exec(manifest)) !== null) {
-            dependencies.push({
-                name: m[1],
-                version: m[2],
-                isDev: false,
-                source: manifestType,
-            });
-        }
-    }
-    // Supply-chain analysis rules
-    // Wildcard / unpinned versions
-    const unpinned = dependencies.filter((d) => d.version === "*" ||
-        d.version === "latest" ||
-        /^\^/.test(d.version) ||
-        /^~/.test(d.version) ||
-        />=/.test(d.version));
-    if (unpinned.length > 0) {
-        findings.push({
-            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
-            severity: "medium",
-            title: "Unpinned dependency versions",
-            description: `${unpinned.length} dependencies use unpinned/loose version ranges: ${unpinned.slice(0, 5).map((d) => `${d.name}@${d.version}`).join(", ")}. This can lead to unexpected breaking changes and supply-chain attacks.`,
-            recommendation: "Pin dependencies to exact versions or use a lockfile (package-lock.json, Cargo.lock, go.sum).",
-            reference: "Supply Chain Security Best Practices",
-        });
-    }
-    // Too many dependencies
-    if (dependencies.filter((d) => !d.isDev).length > 50) {
-        findings.push({
-            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
-            severity: "low",
-            title: "Large number of production dependencies",
-            description: `${dependencies.filter((d) => !d.isDev).length} production dependencies detected. Each dependency increases attack surface and maintenance burden.`,
-            recommendation: "Audit dependencies regularly. Remove unused packages. Consider inlining small utilities.",
-            reference: "Dependency Minimization Best Practices",
-        });
-    }
-    // Known risky package name patterns (typosquatting indicators)
-    const knownPrefixes = [
-        "lodash",
-        "express",
-        "react",
-        "vue",
-        "angular",
-        "axios",
-        "moment",
-    ];
-    const suspicious = dependencies.filter((d) => knownPrefixes.some((p) => d.name !== p &&
-        d.name.startsWith(p) &&
-        d.name.length <= p.length + 3));
-    if (suspicious.length > 0) {
-        findings.push({
-            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
-            severity: "high",
-            title: "Potentially typosquatted package names",
-            description: `Suspicious package names detected that are similar to popular packages: ${suspicious.map((d) => d.name).join(", ")}. These may be typosquatting attempts.`,
-            recommendation: "Verify these package names are intentional and not typos of well-known packages.",
-            reference: "NPM Typosquatting / Supply Chain Attacks",
-        });
-    }
-    // Dev dependencies in production flag
-    const devInProd = dependencies.filter((d) => !d.isDev &&
-        /test|jest|mocha|chai|sinon|eslint|prettier|typescript|ts-node|nodemon/i.test(d.name));
-    if (devInProd.length > 0) {
-        findings.push({
-            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
-            severity: "medium",
-            title: "Development tools in production dependencies",
-            description: `The following look like dev tools but are listed as production dependencies: ${devInProd.map((d) => d.name).join(", ")}. This inflates deployment size and attack surface.`,
-            recommendation: "Move development tools to devDependencies (or equivalent dev scope).",
-        });
-    }
-    // No lockfile hint
-    if (manifestType === "package.json" &&
-        !manifest.includes("lockfileVersion")) {
-        findings.push({
-            ruleId: `${prefix}-${String(ruleNum++).padStart(3, "0")}`,
-            severity: "info",
-            title: "Reminder: ensure a lockfile is committed",
-            description: "This analysis is based on the manifest. Ensure a lockfile (package-lock.json, yarn.lock) is committed for reproducible builds.",
-            recommendation: "Commit your lockfile to version control. Run npm ci in CI/CD instead of npm install.",
-        });
-    }
-    const score = calculateScore(findings);
-    const verdict = deriveVerdict(findings, score);
-    return {
-        totalDependencies: dependencies.length,
-        findings,
-        dependencies,
-        score,
-        verdict,
-        summary: `Dependency analysis: ${dependencies.length} dependencies, ${findings.length} findings, score ${score}/100 — ${verdict.toUpperCase()}`,
-    };
-}
+// ─── Dependency / Supply-chain Analysis (delegated to dependencies.ts) ───────
+export { analyzeDependencies } from "./dependencies.js";
 // ─── App Builder Flow (Review → Translate → Task Plan) ─────────────────────
-function severityRank(severity) {
-    switch (severity) {
-        case "critical":
-            return 5;
-        case "high":
-            return 4;
-        case "medium":
-            return 3;
-        case "low":
-            return 2;
-        case "info":
-            return 1;
-    }
-}
-function dedupeFindings(findings) {
-    const seen = new Set();
-    const result = [];
-    for (const finding of findings) {
-        const key = `${finding.ruleId}|${finding.title}|${finding.severity}`;
-        if (seen.has(key))
-            continue;
-        seen.add(key);
-        result.push(finding);
-    }
-    return result;
-}
-function decideRelease(criticalCount, highCount, score) {
-    if (criticalCount > 0 || score < 60)
-        return "do-not-ship";
-    if (highCount > 0 || score < 80)
-        return "ship-with-caution";
-    return "ship-now";
-}
-function toPlainLanguageFinding(finding) {
-    const severityImpact = {
-        critical: "This can directly cause security incidents, outages, or serious compliance exposure.",
-        high: "This is likely to impact users or operations if left unresolved.",
-        medium: "This can create reliability, maintainability, or quality issues over time.",
-        low: "This is a quality improvement that reduces friction and future rework.",
-        info: "This is guidance to strengthen consistency and engineering hygiene.",
-    };
-    return {
-        ruleId: finding.ruleId,
-        severity: finding.severity,
-        title: finding.title,
-        whatIsWrong: `${finding.title}: ${finding.description}`,
-        whyItMatters: severityImpact[finding.severity],
-        nextAction: finding.recommendation,
-    };
-}
-function pickOwner(finding) {
-    if (/^(UX|A11Y|I18N|ETHICS|COMPAT)-/.test(finding.ruleId))
-        return "product";
-    if (/^(DOC|TEST|MAINT|ERR|CFG)-/.test(finding.ruleId))
-        return "ai";
-    return "developer";
-}
-function pickPriority(severity) {
-    if (severity === "critical")
-        return "P0";
-    if (severity === "high")
-        return "P1";
-    return "P2";
-}
-function pickEffort(finding) {
-    if (finding.severity === "critical")
-        return "L";
-    if (finding.severity === "high")
-        return "M";
-    return finding.lineNumbers && finding.lineNumbers.length > 3 ? "M" : "S";
-}
-function toWorkflowTask(finding) {
-    const owner = pickOwner(finding);
-    const priority = pickPriority(finding.severity);
-    const effort = pickEffort(finding);
-    const aiFixable = owner !== "product";
-    return {
-        priority,
-        owner,
-        effort,
-        ruleId: finding.ruleId,
-        task: `${finding.title} — ${finding.recommendation}`,
-        doneWhen: `A follow-up review no longer reports ${finding.ruleId} and related tests/checks pass.`,
-        aiFixable,
-    };
-}
+import { runAppBuilderWorkflow as _runAppBuilderWorkflow } from "./app-builder.js";
+const engine = { evaluateWithTribunal, evaluateProject, evaluateDiff };
 export function runAppBuilderWorkflow(params) {
-    const maxFindings = Math.max(1, params.maxFindings ?? 10);
-    const maxTasks = Math.max(1, params.maxTasks ?? 20);
-    let mode;
-    let verdict;
-    let score;
-    let findings;
-    if (params.files && params.files.length > 0) {
-        mode = "project";
-        const result = evaluateProject(params.files, params.context, {
-            includeAstFindings: params.includeAstFindings,
-            minConfidence: params.minConfidence,
-        });
-        verdict = result.overallVerdict;
-        score = result.overallScore;
-        findings = [
-            ...result.fileResults.flatMap((fr) => fr.findings),
-            ...result.architecturalFindings,
-        ];
-    }
-    else if (params.changedLines && params.changedLines.length > 0) {
-        if (!params.code || !params.language) {
-            throw new Error("changedLines mode requires both code and language inputs");
-        }
-        mode = "diff";
-        const result = evaluateDiff(params.code, params.language, params.changedLines, params.context, {
-            includeAstFindings: params.includeAstFindings,
-            minConfidence: params.minConfidence,
-        });
-        verdict = result.verdict;
-        score = result.score;
-        findings = result.findings;
-    }
-    else {
-        if (!params.code || !params.language) {
-            throw new Error("code mode requires both code and language, or provide files for project mode");
-        }
-        mode = "code";
-        const result = evaluateWithTribunal(params.code, params.language, params.context, {
-            includeAstFindings: params.includeAstFindings,
-            minConfidence: params.minConfidence,
-        });
-        verdict = result.overallVerdict;
-        score = result.overallScore;
-        findings = result.evaluations.flatMap((evaluation) => evaluation.findings);
-    }
-    const dedupedFindings = dedupeFindings(findings).sort((a, b) => severityRank(b.severity) - severityRank(a.severity));
-    const criticalCount = dedupedFindings.filter((finding) => finding.severity === "critical").length;
-    const highCount = dedupedFindings.filter((finding) => finding.severity === "high").length;
-    const mediumCount = dedupedFindings.filter((finding) => finding.severity === "medium").length;
-    const releaseDecision = decideRelease(criticalCount, highCount, score);
-    const topFindings = dedupedFindings
-        .filter((finding) => ["critical", "high", "medium"].includes(finding.severity))
-        .slice(0, maxFindings);
-    const plainLanguageFindings = topFindings.map(toPlainLanguageFinding);
-    const tasks = dedupedFindings.slice(0, maxTasks).map(toWorkflowTask);
-    const aiFixableNow = tasks.filter((task) => task.aiFixable && (task.priority === "P0" || task.priority === "P1"));
-    const summary = releaseDecision === "do-not-ship"
-        ? "Do not ship yet. Resolve critical risks before release."
-        : releaseDecision === "ship-with-caution"
-            ? "Ship with caution. Address high-priority gaps and monitor closely."
-            : "Ship now. No blocking risks were detected in this review pass.";
-    return {
-        mode,
-        verdict,
-        score,
-        criticalCount,
-        highCount,
-        mediumCount,
-        releaseDecision,
-        summary,
-        plainLanguageFindings,
-        tasks,
-        aiFixableNow,
-    };
+    return _runAppBuilderWorkflow(engine, params);
 }
 // ─── Re-exports ──────────────────────────────────────────────────────────────
 export { formatVerdictAsMarkdown, formatEvaluationAsMarkdown };
+export { enrichWithPatches } from "../patches/index.js";
+export { crossEvaluatorDedup } from "../dedup.js";
 //# sourceMappingURL=index.js.map