@kevinrabun/judges 3.117.1 → 3.117.3

package/dist/ast/taint-tracker.js

@@ -11,25 +11,8 @@
 // - Same-file inter-procedural taint (function parameter → return tracking)
 // - Guard clause sensitivity (validation guards reduce taint confidence)
 // ─────────────────────────────────────────────────────────────────────────────
-import { createRequire } from "node:module";
+import ts from "typescript";
 import { normalizeLanguage } from "../language-patterns.js";
-// Lazy-load the TypeScript compiler API so that modules which transitively
-// import this file (e.g. the VS Code extension bundle) do not crash at load
-// time when the `typescript` package is not available at runtime.
-//
-// In CJS bundles (esbuild for VS Code extension), `import.meta.url` is empty
-// but the bundler emits a CJS `require` for externals — so `require` just
-// works.  In native ESM (tests, CLI), we use `createRequire` from the real
-// `import.meta.url`.
-let _ts;
-function getTS() {
-    if (!_ts) {
-        const metaUrl = typeof import.meta?.url === "string" ? import.meta.url : undefined;
-        const req = metaUrl ? createRequire(metaUrl) : require;
-        _ts = req("typescript");
-    }
-    return _ts;
-}
 // ─── Source / Sink Definitions ───────────────────────────────────────────────
 const SOURCE_PATTERNS = [
     { pattern: /\breq(?:uest)?\.(?:body|query|params|headers|cookies)\b/i, kind: "http-param" },
@@ -164,7 +147,6 @@ function containsWordBoundary(text, varName) {
  * Tracks which function parameters flow to return values.
  */
 function buildFunctionTaintMap(sourceFile, _taintMap) {
-    const ts = getTS();
     const result = new Map();
     ts.forEachChild(sourceFile, function walk(node) {
         if (ts.isFunctionDeclaration(node) ||
@@ -213,7 +195,6 @@ function buildFunctionTaintMap(sourceFile, _taintMap) {
     return result;
 }
 function getFnName(node) {
-    const ts = getTS();
     if (ts.isFunctionDeclaration(node) || ts.isMethodDeclaration(node)) {
         return node.name?.getText();
     }
@@ -707,14 +688,7 @@ export function analyzeTaintFlows(code, language) {
     switch (lang) {
         case "javascript":
         case "typescript":
-            try {
-                return analyzeTypeScriptTaint(code, lang);
-            }
-            catch {
-                // typescript package unavailable (e.g. VS Code extension bundle) —
-                // fall through to regex-based analysis
-                return analyzeRegexTaint(code, LANGUAGE_PATTERN_MAP[lang]);
-            }
+            return analyzeTypeScriptTaint(code, lang);
         default: {
             const langPatterns = LANGUAGE_PATTERN_MAP[lang];
             return analyzeRegexTaint(code, langPatterns);
@@ -723,7 +697,6 @@ export function analyzeTaintFlows(code, language) {
 }
 // ─── TypeScript / JavaScript Taint Analysis ──────────────────────────────────
 function analyzeTypeScriptTaint(code, language) {
-    const ts = getTS();
     const scriptKind = language === "typescript" ? ts.ScriptKind.TS : ts.ScriptKind.JS;
     const sourceFile = ts.createSourceFile("input." + (language === "typescript" ? "ts" : "js"), code, ts.ScriptTarget.Latest, true, scriptKind);
     const flows = [];

package/dist/evaluators/index.js

@@ -435,16 +435,8 @@ export function evaluateWithJudge(judge, code, language, context, options) {
             : undefined;
         findings.push(...judge.analyze(code, language, analyzeCtx));
     }
-    // ── Recall boost: supplementary patterns for weak-recall categories ──
-    const boostResult = applyRecallBoost(code, language);
-    if (boostResult.findings.length > 0) {
-        // Deduplicate: only add boost findings whose ruleId isn't already present
-        for (const bf of boostResult.findings) {
-            if (!findings.some((f) => f.ruleId === bf.ruleId)) {
-                findings.push(bf);
-            }
-        }
-    }
+    // NOTE: Recall boost (applyRecallBoost) is applied once in evaluateWithTribunal()
+    // rather than per-judge, to avoid generating N duplicate boost findings.
     // ── Absence gating ──
     // Absence-based findings ("no rate limiting", "no monitoring", etc.) are
     // project-level concerns that cannot be accurately assessed from a single
@@ -706,6 +698,18 @@ export function evaluateWithTribunal(code, language, context, options) {
             ? "warning"
             : "pass";
     const rawFindings = evaluations.flatMap((e) => e.findings);
+    // ── Recall boost (once, not per-judge) ──
+    // Apply supplementary recall-boost patterns a single time and merge into
+    // the raw findings before cross-evaluator dedup. Previously this ran
+    // inside evaluateWithJudge(), producing N identical copies per judge.
+    const boostResult = applyRecallBoost(code, language);
+    if (boostResult.findings.length > 0) {
+        for (const bf of boostResult.findings) {
+            if (!rawFindings.some((f) => f.ruleId === bf.ruleId)) {
+                rawFindings.push(bf);
+            }
+        }
+    }
     const dedupedFindings = crossEvaluatorDedup(rawFindings);
     const { filtered: fpFiltered } = filterFalsePositiveHeuristics(dedupedFindings, code, language, enrichedOptions?.filePath);
     const configFiltered = applyConfig(fpFiltered, options?.config);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kevinrabun/judges",
-  "version": "3.117.1",
+  "version": "3.117.3",
   "description": "45 specialized judges that evaluate AI-generated code for security, cost, and quality.",
   "mcpName": "io.github.KevinRabun/judges",
   "type": "module",

package/server.json

@@ -7,12 +7,12 @@
     "url": "https://github.com/kevinrabun/judges",
     "source": "github"
   },
-  "version": "3.117.1",
+  "version": "3.117.3",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@kevinrabun/judges",
-      "version": "3.117.1",
+      "version": "3.117.3",
       "transport": {
         "type": "stdio"
       }