@kevinrabun/judges 3.117.8 → 3.118.0

package/dist/api.d.ts

@@ -161,3 +161,9 @@ export declare function evaluateFilesStream(files: FileInput[], options?: Evalua
 export declare function evaluateFilesBatch(files: FileInput[], concurrency?: number, options?: EvaluationOptions, onProgress?: (completed: number, total: number) => void): Promise<FileEvaluationResult[]>;
 export { handleWebhook, verifyWebhookSignature, loadAppConfig, startAppServer, runAppCommand } from "./github-app.js";
 export type { GitHubAppConfig } from "./github-app.js";
+export { evaluateGitDiff, evaluateUnifiedDiff, parseUnifiedDiffToChangedLines } from "./git-diff.js";
+export type { FileChangedLines, GitDiffVerdict } from "./git-diff.js";
+export { resolveImports, buildRelatedFilesContext } from "./import-resolver.js";
+export type { ResolvedImport, ImportResolutionResult } from "./import-resolver.js";
+export { applyAutoTune, generateAutoTuneReport, formatAutoTuneReport, formatAutoTuneReportJson } from "./auto-tune.js";
+export type { AutoTuneReport, AutoTuneOptions, AutoTuneAction } from "./auto-tune.js";

package/dist/api.js

@@ -187,3 +187,9 @@ export async function evaluateFilesBatch(files, concurrency = 4, options, onProg
 }
 // ─── GitHub App ──────────────────────────────────────────────────────────────
 export { handleWebhook, verifyWebhookSignature, loadAppConfig, startAppServer, runAppCommand } from "./github-app.js";
+// ─── Git Diff Evaluation ─────────────────────────────────────────────────────
+export { evaluateGitDiff, evaluateUnifiedDiff, parseUnifiedDiffToChangedLines } from "./git-diff.js";
+// ─── Cross-File Import Resolution ────────────────────────────────────────────
+export { resolveImports, buildRelatedFilesContext } from "./import-resolver.js";
+// ─── Auto-Tune (Feedback-Driven Calibration) ────────────────────────────────
+export { applyAutoTune, generateAutoTuneReport, formatAutoTuneReport, formatAutoTuneReportJson } from "./auto-tune.js";

package/dist/commands/watch.d.ts

@@ -7,11 +7,16 @@
  *   judges watch src/ --judge cyber       # Single judge only
  *   judges watch src/ --fail-on-findings  # Exit 1 on first failure
  */
+import { watch as fsWatch } from "fs";
 interface WatchArgs {
     path: string;
     judge: string | undefined;
     failOnFindings: boolean;
 }
 export declare function parseWatchArgs(argv: string[]): WatchArgs;
-export declare function runWatch(argv: string[]): void;
+export interface WatchOptions {
+    /** Override the fs.watch function (useful for testing). */
+    fsWatch?: typeof fsWatch;
+}
+export declare function runWatch(argv: string[], options?: WatchOptions): void;
 export {};

package/dist/commands/watch.js

@@ -126,8 +126,8 @@ function debounce(fn, ms) {
         timer = setTimeout(fn, ms);
     };
 }
-// ─── Main Watch Command ────────────────────────────────────────────────────
-export function runWatch(argv) {
+export function runWatch(argv, options) {
+    const watchFn = options?.fsWatch ?? fsWatch;
     const args = parseWatchArgs(argv);
     const target = resolve(args.path);
     if (!existsSync(target)) {
@@ -146,7 +146,7 @@ export function runWatch(argv) {
     const isDir = statSync(target).isDirectory();
     if (isDir) {
         // Watch directory recursively
-        const watcher = fsWatch(target, { recursive: true });
+        const watcher = watchFn(target, { recursive: true });
         watcher.on("change", (_event, filename) => {
             if (!filename)
                 return;
@@ -178,7 +178,7 @@ export function runWatch(argv) {
                 console.error(`  Error evaluating ${args.path}:`, err);
             }
         }, 300);
-        const watcher = fsWatch(target);
+        const watcher = watchFn(target);
         watcher.on("change", () => debouncedEval());
         // Run initial evaluation
         evaluateFile(target, detectLanguage(target), args.judge);

package/dist/evaluators/index.d.ts

@@ -59,6 +59,40 @@ export interface EvaluationOptions {
      * and improves performance. Defaults to false (run all judges).
      */
     adaptiveSelection?: boolean;
+    /**
+     * Enable automatic feedback-driven auto-tuning.
+     * When true, loads the feedback store and applies time-decay weighted
+     * auto-suppression (FP rate >= 80%), severity downgrading (50-80%),
+     * and confidence boosting (< 15%) without requiring `calibrate` to be set.
+     * Defaults to false. When both `autoTune` and `calibrate` are set,
+     * auto-tune runs first, then calibration refines further.
+     */
+    autoTune?: boolean;
+    /**
+     * Include deep-review prompt section in the verdict for LLM-augmented analysis.
+     * When true, appends the tribunal deep-review criteria to the verdict metadata
+     * so that downstream LLM consumers can perform contextual reasoning beyond
+     * pattern matching. This is the bridge between Layer 1 (deterministic) and
+     * Layer 2 (LLM) review.
+     */
+    deepReview?: boolean;
+    /**
+     * Related file snippets for cross-file deep-review context.
+     * When deepReview is enabled, these are included in the deep-review prompt
+     * to give the LLM visibility into imports, shared types, and call sites.
+     */
+    relatedFiles?: Array<{
+        path: string;
+        snippet: string;
+        relationship?: string;
+    }>;
+    /**
+     * Minimum confidence threshold for findings to appear in the output.
+     * Findings below this threshold are filtered out of the verdict.
+     * The verdict includes a `filteredCount` field showing how many were removed.
+     * Value range: 0-1 (e.g., 0.6 means only findings with >= 60% confidence appear).
+     */
+    confidenceFilter?: number;
     /** @internal — pre-computed AST structure for the file (set by evaluateWithTribunal) */
     _astCache?: CodeStructure;
     /** @internal — pre-computed taint flows for the file (set by evaluateWithTribunal) */

package/dist/evaluators/index.js

@@ -23,6 +23,8 @@ import { selectJudges } from "./judge-selector.js";
 import { getGlobalSession } from "../evaluation-session.js";
 import { evaluateEscalations, enhanceReviewWithEscalations } from "../escalation.js";
 import { applyRecallBoost } from "./recall-boost.js";
+import { buildTribunalDeepReviewSection } from "../tools/deep-review.js";
+import { detectProjectContext } from "./shared.js";
 // ── AST-aware post-processing ───────────────────────────────────────────────
 // ── Module-level caches for AST/taint results ───────────────────────────────
 const astStructureCache = new LRUCache(256);
@@ -634,6 +636,10 @@ export function evaluateWithTribunal(code, language, context, options) {
             ms: options.config?.minSeverity,
             jw: options.config?.judgeWeights,
             mfg: options.mustFixGate,
+            at: options.autoTune,
+            drev: options.deepReview,
+            cf: options.confidenceFilter,
+            rf: options.relatedFiles?.length,
         })
         : "";
     const hash = contentHash(code, language + optionsSuffix);
@@ -749,6 +755,7 @@ export function evaluateWithTribunal(code, language, context, options) {
     // 2. Severity downgrade for rules with FP rate 50-80%
     // 3. Confidence calibration based on historical FP rates
     let calibrated = configFiltered;
+    let autoTuneMetadata;
     if (enrichedOptions.calibrate) {
         try {
             const calOpts = typeof enrichedOptions.calibrate === "object" ? enrichedOptions.calibrate : undefined;
@@ -756,6 +763,7 @@ export function evaluateWithTribunal(code, language, context, options) {
             if (feedbackStore.entries.length > 0) {
                 const tuned = applyAutoTune(calibrated, feedbackStore);
                 calibrated = tuned.findings;
+                autoTuneMetadata = { suppressed: tuned.suppressed, downgraded: tuned.downgraded };
             }
             else {
                 // No feedback data — try plain calibration profile
@@ -769,6 +777,23 @@ export function evaluateWithTribunal(code, language, context, options) {
             // Calibration failure is non-fatal — continue with uncalibrated findings
         }
     }
+    else if (enrichedOptions.autoTune) {
+        // ── Standalone auto-tune (without full calibrate) ──
+        // Lightweight feedback-only tuning path: applies auto-suppression and
+        // severity downgrades from the feedback store without requiring a
+        // full calibration profile.
+        try {
+            const feedbackStore = loadFeedbackStore();
+            if (feedbackStore.entries.length > 0) {
+                const tuned = applyAutoTune(calibrated, feedbackStore);
+                calibrated = tuned.findings;
+                autoTuneMetadata = { suppressed: tuned.suppressed, downgraded: tuned.downgraded };
+            }
+        }
+        catch {
+            // Auto-tune failure is non-fatal
+        }
+    }
     // ── Auto-activate model-specific calibration profile ──
     // If the model-fingerprint judge detected a model, apply the model-specific
     // calibration profile automatically (when feedback data exists).
@@ -829,7 +854,20 @@ export function evaluateWithTribunal(code, language, context, options) {
     catch {
         // Session feedback calibration failure is non-fatal
     }
-    const cappedFindings = applyPerFileFindingCap(sessionAdjusted, maxFindings);
+    // ── Confidence-based output filtering ──
+    // When confidenceFilter is set, drop findings below the threshold entirely.
+    // This gives callers a first-class knob to control signal-to-noise ratio.
+    let confidenceFiltered = sessionAdjusted;
+    let confidenceFilteredOutCount = 0;
+    if (enrichedOptions.confidenceFilter !== undefined &&
+        enrichedOptions.confidenceFilter !== null &&
+        enrichedOptions.confidenceFilter > 0) {
+        const threshold = enrichedOptions.confidenceFilter;
+        const before = confidenceFiltered.length;
+        confidenceFiltered = confidenceFiltered.filter((f) => (f.confidence ?? 0.5) >= threshold);
+        confidenceFilteredOutCount = before - confidenceFiltered.length;
+    }
+    const cappedFindings = applyPerFileFindingCap(confidenceFiltered, maxFindings);
     // ── Confidence-based tiering for progressive disclosure ──
     // Tag each finding with a disclosure tier so downstream consumers (CLI,
     // formatters, VS Code extension) can show only high-confidence findings
@@ -882,6 +920,32 @@ export function evaluateWithTribunal(code, language, context, options) {
         },
         reviewDecision: synthesizeReviewDecision(enrichedFindings),
     };
+    // ── Deep review prompt attachment (P0.1) ──
+    // When deepReview is enabled, build and attach a structured LLM prompt
+    // section so downstream consumers can trigger a second-pass analysis.
+    if (enrichedOptions.deepReview) {
+        try {
+            const projectCtx = detectProjectContext(code, language, enrichedOptions.filePath);
+            const relatedSnippets = enrichedOptions.relatedFiles ?? [];
+            result.deepReviewPrompt = buildTribunalDeepReviewSection(judges, language, context, relatedSnippets.map((r) => ({ path: r.path, snippet: r.snippet, relationship: r.relationship })), projectCtx);
+        }
+        catch {
+            // Deep review prompt generation failure is non-fatal
+        }
+    }
+    // ── Attach auto-tune metadata ──
+    if (autoTuneMetadata) {
+        result.autoTuneApplied = autoTuneMetadata;
+    }
+    // ── Attach confidence filter metadata ──
+    if (enrichedOptions.confidenceFilter !== undefined &&
+        enrichedOptions.confidenceFilter !== null &&
+        confidenceFilteredOutCount > 0) {
+        result.confidenceFilterApplied = {
+            threshold: enrichedOptions.confidenceFilter,
+            filteredOut: confidenceFilteredOutCount,
+        };
+    }
     // ── AI model detection escalation ──
     // When the model-fingerprint judge (MFPR-* rules) fires, attach escalation
     // metadata so downstream consumers can trigger deeper review or add

package/dist/git-diff.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Native Git Diff Evaluation
+ *
+ * Integrates git diff parsing directly into the evaluation pipeline,
+ * eliminating the need for callers to manually compute changed lines.
+ *
+ * Provides:
+ * - `evaluateGitDiff()` — evaluates changed files in a git diff
+ * - `parseUnifiedDiffToChangedLines()` — extracts per-file changed lines from unified diff
+ */
+import type { DiffVerdict } from "./types.js";
+import type { EvaluationOptions } from "./evaluators/index.js";
+export interface FileChangedLines {
+    /** Relative file path */
+    filePath: string;
+    /** 1-based line numbers that were added or modified */
+    changedLines: number[];
+}
+export interface GitDiffVerdict {
+    /** Per-file diff verdicts */
+    files: Array<{
+        filePath: string;
+        language: string;
+        verdict: DiffVerdict;
+    }>;
+    /** Aggregate score across all files */
+    overallScore: number;
+    /** Aggregate finding count */
+    totalFindings: number;
+    /** Total changed lines analyzed */
+    totalLinesAnalyzed: number;
+    /** Files that were skipped (binary, too large, unreadable) */
+    skippedFiles: string[];
+    /** Summary */
+    summary: string;
+}
+/**
+ * Parse a unified diff to extract per-file changed line numbers.
+ * Handles standard `git diff` output format.
+ *
+ * Only tracks added/modified lines (lines starting with `+` in the diff),
+ * since those are the lines that need review.
+ */
+export declare function parseUnifiedDiffToChangedLines(diffText: string): FileChangedLines[];
+/**
+ * Evaluate changed files from a git diff.
+ *
+ * Runs `git diff` between the specified base and the working tree (or HEAD),
+ * parses the unified diff to extract per-file changed lines, reads each
+ * changed file, and evaluates only the changed lines.
+ *
+ * @param repoPath - Path to the git repository root
+ * @param base     - Base ref to diff against (e.g., "main", "HEAD~1", "origin/main")
+ * @param options  - Evaluation options passed to each file evaluation
+ * @returns Aggregate verdict across all changed files
+ */
+export declare function evaluateGitDiff(repoPath: string, base?: string, options?: EvaluationOptions): GitDiffVerdict;
+/**
+ * Evaluate a pre-computed diff string (e.g., from a PR webhook payload).
+ * Reads file content from the specified repo path.
+ */
+export declare function evaluateUnifiedDiff(diffText: string, repoPath: string, options?: EvaluationOptions): GitDiffVerdict;

package/dist/git-diff.js

@@ -0,0 +1,282 @@
+/**
+ * Native Git Diff Evaluation
+ *
+ * Integrates git diff parsing directly into the evaluation pipeline,
+ * eliminating the need for callers to manually compute changed lines.
+ *
+ * Provides:
+ * - `evaluateGitDiff()` — evaluates changed files in a git diff
+ * - `parseUnifiedDiffToChangedLines()` — extracts per-file changed lines from unified diff
+ */
+import { readFileSync } from "fs";
+import { resolve, extname } from "path";
+import { evaluateDiff } from "./evaluators/index.js";
+import { tryRunGit } from "./tools/command-safety.js";
+// ─── Diff Parsing ───────────────────────────────────────────────────────────
+/**
+ * Parse a unified diff to extract per-file changed line numbers.
+ * Handles standard `git diff` output format.
+ *
+ * Only tracks added/modified lines (lines starting with `+` in the diff),
+ * since those are the lines that need review.
+ */
+export function parseUnifiedDiffToChangedLines(diffText) {
+    const result = [];
+    let currentFile = "";
+    let currentLines = [];
+    for (const line of diffText.split("\n")) {
+        // Match file header: +++ b/path/to/file
+        if (line.startsWith("+++ b/")) {
+            // Save previous file if it had changes
+            if (currentFile && currentLines.length > 0) {
+                result.push({ filePath: currentFile, changedLines: currentLines });
+            }
+            currentFile = line.substring(6);
+            currentLines = [];
+            continue;
+        }
+        // Match hunk header: @@ -old,count +new,count @@
+        const hunkMatch = /^@@ -\d+(?:,\d+)? \+(\d+)(?:,(\d+))? @@/.exec(line);
+        if (hunkMatch && currentFile) {
+            const startLine = parseInt(hunkMatch[1], 10);
+            const lineCount = parseInt(hunkMatch[2] ?? "1", 10);
+            // Track which new-side lines are additions
+            // We track additions in the line-by-line scan below
+            void startLine;
+            void lineCount;
+            continue;
+        }
+        // Inside a hunk — no need to know startLine here, we track as we go
+    }
+    // Flush last file
+    if (currentFile && currentLines.length > 0) {
+        result.push({ filePath: currentFile, changedLines: currentLines });
+    }
+    // Re-parse with proper line tracking using a stateful approach
+    return parseWithLineTracking(diffText);
+}
+/**
+ * Internal: stateful parse that tracks actual added line numbers.
+ */
+function parseWithLineTracking(diffText) {
+    const result = [];
+    let currentFile = "";
+    let currentLines = [];
+    let newLineNum = 0;
+    let inHunk = false;
+    for (const line of diffText.split("\n")) {
+        // File header
+        if (line.startsWith("+++ b/")) {
+            if (currentFile && currentLines.length > 0) {
+                result.push({ filePath: currentFile, changedLines: [...currentLines] });
+            }
+            currentFile = line.substring(6);
+            currentLines = [];
+            inHunk = false;
+            continue;
+        }
+        // Hunk header
+        const hunkMatch = /^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/.exec(line);
+        if (hunkMatch) {
+            newLineNum = parseInt(hunkMatch[1], 10);
+            inHunk = true;
+            continue;
+        }
+        if (!inHunk || !currentFile)
+            continue;
+        // Context line (present in both old and new)
+        if (line.startsWith(" ")) {
+            newLineNum++;
+            continue;
+        }
+        // Added line
+        if (line.startsWith("+")) {
+            currentLines.push(newLineNum);
+            newLineNum++;
+            continue;
+        }
+        // Removed line (only in old side — don't increment new line counter)
+        if (line.startsWith("-")) {
+            continue;
+        }
+        // Any other line (e.g., , or diff binary headers)
+        // ends the hunk
+        if (line.startsWith("diff ") || line.startsWith("index ") || line.startsWith("---")) {
+            inHunk = false;
+        }
+    }
+    // Flush last file
+    if (currentFile && currentLines.length > 0) {
+        result.push({ filePath: currentFile, changedLines: [...currentLines] });
+    }
+    return result;
+}
+// ─── Language Detection ─────────────────────────────────────────────────────
+const EXT_LANGUAGE_MAP = {
+    ".ts": "typescript",
+    ".tsx": "typescript",
+    ".js": "javascript",
+    ".jsx": "javascript",
+    ".mjs": "javascript",
+    ".cjs": "javascript",
+    ".py": "python",
+    ".rs": "rust",
+    ".go": "go",
+    ".java": "java",
+    ".cs": "csharp",
+    ".cpp": "cpp",
+    ".cc": "cpp",
+    ".cxx": "cpp",
+    ".c": "c",
+    ".h": "c",
+    ".hpp": "cpp",
+    ".php": "php",
+    ".rb": "ruby",
+    ".kt": "kotlin",
+    ".swift": "swift",
+    ".dart": "dart",
+    ".sql": "sql",
+    ".sh": "bash",
+    ".bash": "bash",
+    ".ps1": "powershell",
+    ".bicep": "bicep",
+    ".tf": "terraform",
+    ".json": "json",
+    ".yaml": "yaml",
+    ".yml": "yaml",
+};
+function detectLanguageFromPath(filePath) {
+    const ext = extname(filePath).toLowerCase();
+    return EXT_LANGUAGE_MAP[ext];
+}
+// ─── Git Diff Evaluation ────────────────────────────────────────────────────
+/**
+ * Evaluate changed files from a git diff.
+ *
+ * Runs `git diff` between the specified base and the working tree (or HEAD),
+ * parses the unified diff to extract per-file changed lines, reads each
+ * changed file, and evaluates only the changed lines.
+ *
+ * @param repoPath - Path to the git repository root
+ * @param base     - Base ref to diff against (e.g., "main", "HEAD~1", "origin/main")
+ * @param options  - Evaluation options passed to each file evaluation
+ * @returns Aggregate verdict across all changed files
+ */
+export function evaluateGitDiff(repoPath, base = "HEAD~1", options) {
+    // Get the unified diff
+    const diffOutput = tryRunGit(["diff", base, "--unified=0"], { cwd: repoPath });
+    if (diffOutput === null) {
+        return {
+            files: [],
+            overallScore: 100,
+            totalFindings: 0,
+            totalLinesAnalyzed: 0,
+            skippedFiles: [],
+            summary: "Could not run git diff — ensure git is installed and this is a git repository.",
+        };
+    }
+    if (diffOutput.trim().length === 0) {
+        return {
+            files: [],
+            overallScore: 100,
+            totalFindings: 0,
+            totalLinesAnalyzed: 0,
+            skippedFiles: [],
+            summary: "No changes detected between working tree and " + base,
+        };
+    }
+    const fileChanges = parseUnifiedDiffToChangedLines(diffOutput);
+    const fileVerdicts = [];
+    const skippedFiles = [];
+    for (const fc of fileChanges) {
+        const language = detectLanguageFromPath(fc.filePath);
+        if (!language) {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        const absolutePath = resolve(repoPath, fc.filePath);
+        let code;
+        try {
+            code = readFileSync(absolutePath, "utf-8");
+        }
+        catch {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        // Skip very large files
+        if (code.length > 300_000) {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        const verdict = evaluateDiff(code, language, fc.changedLines, undefined, {
+            ...options,
+            filePath: fc.filePath,
+        });
+        fileVerdicts.push({ filePath: fc.filePath, language, verdict });
+    }
+    const totalFindings = fileVerdicts.reduce((sum, fv) => sum + fv.verdict.findings.length, 0);
+    const totalLinesAnalyzed = fileVerdicts.reduce((sum, fv) => sum + fv.verdict.linesAnalyzed, 0);
+    const overallScore = fileVerdicts.length > 0
+        ? Math.round(fileVerdicts.reduce((sum, fv) => sum + fv.verdict.score, 0) / fileVerdicts.length)
+        : 100;
+    const summary = `Git diff analysis (${base}): ${fileVerdicts.length} file(s) analyzed, ` +
+        `${totalLinesAnalyzed} changed lines, ${totalFindings} finding(s), ` +
+        `score ${overallScore}/100` +
+        (skippedFiles.length > 0 ? ` (${skippedFiles.length} file(s) skipped)` : "");
+    return {
+        files: fileVerdicts,
+        overallScore,
+        totalFindings,
+        totalLinesAnalyzed,
+        skippedFiles,
+        summary,
+    };
+}
+/**
+ * Evaluate a pre-computed diff string (e.g., from a PR webhook payload).
+ * Reads file content from the specified repo path.
+ */
+export function evaluateUnifiedDiff(diffText, repoPath, options) {
+    const fileChanges = parseUnifiedDiffToChangedLines(diffText);
+    const fileVerdicts = [];
+    const skippedFiles = [];
+    for (const fc of fileChanges) {
+        const language = detectLanguageFromPath(fc.filePath);
+        if (!language) {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        const absolutePath = resolve(repoPath, fc.filePath);
+        let code;
+        try {
+            code = readFileSync(absolutePath, "utf-8");
+        }
+        catch {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        if (code.length > 300_000) {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        const verdict = evaluateDiff(code, language, fc.changedLines, undefined, {
+            ...options,
+            filePath: fc.filePath,
+        });
+        fileVerdicts.push({ filePath: fc.filePath, language, verdict });
+    }
+    const totalFindings = fileVerdicts.reduce((sum, fv) => sum + fv.verdict.findings.length, 0);
+    const totalLinesAnalyzed = fileVerdicts.reduce((sum, fv) => sum + fv.verdict.linesAnalyzed, 0);
+    const overallScore = fileVerdicts.length > 0
+        ? Math.round(fileVerdicts.reduce((sum, fv) => sum + fv.verdict.score, 0) / fileVerdicts.length)
+        : 100;
+    return {
+        files: fileVerdicts,
+        overallScore,
+        totalFindings,
+        totalLinesAnalyzed,
+        skippedFiles,
+        summary: `Diff analysis: ${fileVerdicts.length} file(s), ${totalLinesAnalyzed} changed lines, ` +
+            `${totalFindings} finding(s), score ${overallScore}/100`,
+    };
+}

package/dist/import-resolver.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Cross-File Import Resolution
+ *
+ * Automatically resolves imports from a file's AST and builds
+ * related-file context for deeper cross-file analysis. This bridges
+ * the gap between single-file deterministic analysis and project-wide
+ * vulnerability detection.
+ *
+ * Provides:
+ * - `resolveImports()` — resolves import paths to file content
+ * - `buildRelatedFilesContext()` — builds RelatedFileSnippet[] from imports
+ */
+import type { RelatedFileSnippet } from "./tools/deep-review.js";
+export interface ResolvedImport {
+    /** The import specifier as written in code (e.g., "./utils", "express") */
+    specifier: string;
+    /** Resolved absolute file path (undefined if external/unresolvable) */
+    resolvedPath?: string;
+    /** Whether this is a local (relative) import */
+    isLocal: boolean;
+    /** File content (truncated) if resolved */
+    content?: string;
+}
+export interface ImportResolutionResult {
+    /** Successfully resolved local imports */
+    resolved: ResolvedImport[];
+    /** External/unresolvable imports */
+    external: string[];
+    /** Related file snippets ready for deep-review context */
+    relatedFiles: RelatedFileSnippet[];
+}
+/**
+ * Resolve imports from a source file and return related file context.
+ *
+ * Uses the AST parser to extract import specifiers, resolves local imports
+ * to actual files, reads their content, and returns structured context
+ * suitable for deep-review cross-file analysis.
+ *
+ * @param code       - Source code of the file being analyzed
+ * @param language   - Programming language
+ * @param filePath   - Absolute path to the source file (needed for relative import resolution)
+ * @param maxImports - Maximum number of imports to resolve (default: 20)
+ */
+export declare function resolveImports(code: string, language: string, filePath: string, maxImports?: number): ImportResolutionResult;
+/**
+ * Build related files context from a file's imports.
+ *
+ * Convenience wrapper that returns just the RelatedFileSnippet[] array,
+ * ready to be passed to deep-review or MCP tool context.
+ */
+export declare function buildRelatedFilesContext(code: string, language: string, filePath: string, maxImports?: number): RelatedFileSnippet[];

package/dist/import-resolver.js

@@ -0,0 +1,213 @@
+/**
+ * Cross-File Import Resolution
+ *
+ * Automatically resolves imports from a file's AST and builds
+ * related-file context for deeper cross-file analysis. This bridges
+ * the gap between single-file deterministic analysis and project-wide
+ * vulnerability detection.
+ *
+ * Provides:
+ * - `resolveImports()` — resolves import paths to file content
+ * - `buildRelatedFilesContext()` — builds RelatedFileSnippet[] from imports
+ */
+import { readFileSync, existsSync } from "fs";
+import { resolve, dirname, join } from "path";
+import { analyzeStructure } from "./ast/index.js";
+// ─── Constants ──────────────────────────────────────────────────────────────
+/** Maximum file size to include as related context (bytes) */
+const MAX_RELATED_FILE_SIZE = 50_000;
+/** Maximum snippet length per related file */
+const MAX_SNIPPET_LENGTH = 3_000;
+/** Maximum number of imports to resolve */
+const MAX_IMPORTS_TO_RESOLVE = 20;
+/** Extensions to try when resolving imports without extensions */
+const RESOLVE_EXTENSIONS = [".ts", ".tsx", ".js", ".jsx", ".mjs", ".py", ".rs", ".go", ".java", ".cs"];
+/** Extensions to try for index files */
+const INDEX_FILES = ["index.ts", "index.tsx", "index.js", "index.jsx", "index.mjs"];
+// ─── Import Resolution ─────────────────────────────────────────────────────
+/**
+ * Check if an import specifier is a local/relative import.
+ */
+function isLocalImport(specifier) {
+    return specifier.startsWith("./") || specifier.startsWith("../") || specifier.startsWith("/");
+}
+/**
+ * Try to resolve a local import specifier to an actual file path.
+ */
+function resolveLocalImport(specifier, fromDir) {
+    // Remove .js extension if present (common in ESM TypeScript)
+    const cleanSpecifier = specifier.replace(/\.js$/, "");
+    const basePath = resolve(fromDir, cleanSpecifier);
+    // Try exact path first
+    if (existsSync(basePath) && !isDirectory(basePath)) {
+        return basePath;
+    }
+    // Try with various extensions
+    for (const ext of RESOLVE_EXTENSIONS) {
+        const withExt = basePath + ext;
+        if (existsSync(withExt)) {
+            return withExt;
+        }
+    }
+    // Try as directory with index file
+    for (const indexFile of INDEX_FILES) {
+        const indexPath = join(basePath, indexFile);
+        if (existsSync(indexPath)) {
+            return indexPath;
+        }
+    }
+    // Try the original specifier with extensions (before .js stripping)
+    const origBase = resolve(fromDir, specifier);
+    if (origBase !== basePath && existsSync(origBase) && !isDirectory(origBase)) {
+        return origBase;
+    }
+    return undefined;
+}
+function isDirectory(filePath) {
+    try {
+        const statSync = require("fs").statSync;
+        return statSync(filePath).isDirectory();
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Read a file and return a truncated snippet suitable for cross-file context.
+ */
+function readSnippet(filePath) {
+    try {
+        const content = readFileSync(filePath, "utf-8");
+        if (content.length > MAX_RELATED_FILE_SIZE) {
+            return undefined; // Too large
+        }
+        if (content.length <= MAX_SNIPPET_LENGTH) {
+            return content;
+        }
+        return content.slice(0, MAX_SNIPPET_LENGTH) + "\n// ... truncated";
+    }
+    catch {
+        return undefined;
+    }
+}
+/**
+ * Resolve imports from a source file and return related file context.
+ *
+ * Uses the AST parser to extract import specifiers, resolves local imports
+ * to actual files, reads their content, and returns structured context
+ * suitable for deep-review cross-file analysis.
+ *
+ * @param code       - Source code of the file being analyzed
+ * @param language   - Programming language
+ * @param filePath   - Absolute path to the source file (needed for relative import resolution)
+ * @param maxImports - Maximum number of imports to resolve (default: 20)
+ */
+export function resolveImports(code, language, filePath, maxImports = MAX_IMPORTS_TO_RESOLVE) {
+    const resolved = [];
+    const external = [];
+    const relatedFiles = [];
+    const fromDir = dirname(filePath);
+    // Use AST to extract imports
+    const structure = analyzeStructure(code, language);
+    const imports = structure.imports ?? [];
+    // Also extract imports via regex for languages where AST might not capture all
+    const regexImports = extractImportsViaRegex(code, language);
+    const allImports = [...new Set([...imports, ...regexImports])];
+    let resolvedCount = 0;
+    for (const specifier of allImports) {
+        if (resolvedCount >= maxImports)
+            break;
+        if (!isLocalImport(specifier)) {
+            external.push(specifier);
+            continue;
+        }
+        const resolvedPath = resolveLocalImport(specifier, fromDir);
+        if (!resolvedPath) {
+            resolved.push({ specifier, isLocal: true });
+            continue;
+        }
+        const snippet = readSnippet(resolvedPath);
+        if (!snippet) {
+            resolved.push({ specifier, resolvedPath, isLocal: true });
+            continue;
+        }
+        resolved.push({
+            specifier,
+            resolvedPath,
+            isLocal: true,
+            content: snippet,
+        });
+        relatedFiles.push({
+            path: specifier,
+            snippet,
+            relationship: "imported by target",
+        });
+        resolvedCount++;
+    }
+    return { resolved, external, relatedFiles };
+}
+/**
+ * Build related files context from a file's imports.
+ *
+ * Convenience wrapper that returns just the RelatedFileSnippet[] array,
+ * ready to be passed to deep-review or MCP tool context.
+ */
+export function buildRelatedFilesContext(code, language, filePath, maxImports = MAX_IMPORTS_TO_RESOLVE) {
+    return resolveImports(code, language, filePath, maxImports).relatedFiles;
+}
+// ─── Regex-based Import Extraction (fallback) ───────────────────────────────
+/**
+ * Extract import specifiers using regex patterns for common languages.
+ * This supplements the AST parser for cases where the grammar doesn't
+ * capture all import forms.
+ */
+function extractImportsViaRegex(code, language) {
+    const imports = [];
+    const lines = code.split("\n");
+    for (const line of lines) {
+        const trimmed = line.trim();
+        // TypeScript/JavaScript: import ... from "specifier"
+        // Also: import "specifier" (side-effect)
+        // Also: require("specifier")
+        if (["typescript", "javascript"].includes(language)) {
+            const fromMatch = /from\s+["']([^"']+)["']/.exec(trimmed);
+            if (fromMatch) {
+                imports.push(fromMatch[1]);
+                continue;
+            }
+            const importMatch = /^import\s+["']([^"']+)["']/.exec(trimmed);
+            if (importMatch) {
+                imports.push(importMatch[1]);
+                continue;
+            }
+            const requireMatch = /require\s*\(\s*["']([^"']+)["']\s*\)/.exec(trimmed);
+            if (requireMatch) {
+                imports.push(requireMatch[1]);
+                continue;
+            }
+        }
+        // Python: from module import ... / import module
+        if (language === "python") {
+            const fromImport = /^from\s+(\.[\w.]*)\s+import/.exec(trimmed);
+            if (fromImport) {
+                imports.push(fromImport[1]);
+                continue;
+            }
+        }
+        // Go: import "path" / import ( "path" )
+        if (language === "go") {
+            const goImport = /^\s*"([^"]+)"/.exec(trimmed);
+            if (goImport && goImport[1].includes("/")) {
+                imports.push(goImport[1]);
+            }
+        }
+        // Rust: use crate::module / mod module
+        if (language === "rust") {
+            const useMatch = /^use\s+crate::(\w+)/.exec(trimmed);
+            if (useMatch) {
+                imports.push(`./${useMatch[1]}`);
+            }
+        }
+    }
+    return imports;
+}

package/dist/tools/register-review.js

@@ -4,6 +4,7 @@
 // ──────────────────────────────────────────────────────────────────────────────
 import { z } from "zod";
 import { loadFindingStore, triageFinding, getTriagedFindings, formatTriageSummary, getFindingStats, getSuppressionAnalytics, formatSuppressionAnalytics, } from "../finding-lifecycle.js";
+import { evaluateWithTribunal } from "../evaluators/index.js";
 // ─── Rule-prefix learning context (shared with CLI --explain) ────────────────
 const RULE_PREFIX_CONTEXT = {
     SEC: {
@@ -78,6 +79,7 @@ export function registerReviewTools(server) {
     registerGetFindingStats(server);
     registerGetSuppressionAnalytics(server);
     registerListTriagedFindings(server);
+    registerReEvaluateWithContext(server);
 }
 // ─── explain_finding ─────────────────────────────────────────────────────────
 function registerExplainFinding(server) {
@@ -394,3 +396,155 @@ function registerListTriagedFindings(server) {
         }
     });
 }
+// ─── re_evaluate_with_context ────────────────────────────────────────────────
+function registerReEvaluateWithContext(server) {
+    server.tool("re_evaluate_with_context", "Re-evaluate code with developer-provided context from a multi-turn conversation. Accepts disputed findings, accepted findings, and additional context to adjust the evaluation. This is the agentic feedback loop — the developer explains their intent and the tribunal re-evaluates with that context, applying auto-tune and confidence filtering.", {
+        code: z.string().describe("The source code to re-evaluate"),
+        language: z.string().describe("Programming language (e.g., typescript, python, go)"),
+        disputedRuleIds: z
+            .array(z.string())
+            .optional()
+            .describe("Rule IDs the developer disputes as false positives (e.g., ['SEC-001', 'PERF-003'])"),
+        acceptedRuleIds: z
+            .array(z.string())
+            .optional()
+            .describe("Rule IDs the developer accepts (these will not be filtered)"),
+        developerContext: z
+            .string()
+            .optional()
+            .describe("Free-form explanation from the developer about their intent, design decisions, or why certain findings are incorrect"),
+        focusAreas: z
+            .array(z.string())
+            .optional()
+            .describe("Specific areas to focus the re-evaluation on (e.g., ['security', 'performance'])"),
+        confidenceFilter: z
+            .number()
+            .min(0)
+            .max(1)
+            .optional()
+            .describe("Minimum confidence threshold — findings below this are dropped (default: 0.5)"),
+        filePath: z.string().optional().describe("File path for context-aware evaluation"),
+        deepReview: z
+            .boolean()
+            .optional()
+            .describe("Whether to include the LLM deep-review prompt section in the result"),
+        relatedFiles: z
+            .array(z.object({
+            path: z.string().describe("Path of the related file"),
+            snippet: z.string().describe("Relevant code snippet from the related file"),
+            relationship: z.string().optional().describe("Relationship to the main file (e.g., 'imports', 'tests')"),
+        }))
+            .optional()
+            .describe("Cross-file context for more accurate evaluation"),
+    }, async ({ code, language, disputedRuleIds, acceptedRuleIds, developerContext, focusAreas, confidenceFilter, filePath, deepReview, relatedFiles, }) => {
+        try {
+            // Build context string from developer inputs
+            const contextParts = [];
+            if (developerContext) {
+                contextParts.push(`Developer context: ${developerContext}`);
+            }
+            if (disputedRuleIds && disputedRuleIds.length > 0) {
+                contextParts.push(`Disputed findings: ${disputedRuleIds.join(", ")}`);
+            }
+            if (acceptedRuleIds && acceptedRuleIds.length > 0) {
+                contextParts.push(`Accepted findings: ${acceptedRuleIds.join(", ")}`);
+            }
+            if (focusAreas && focusAreas.length > 0) {
+                contextParts.push(`Focus areas: ${focusAreas.join(", ")}`);
+            }
+            const fullContext = contextParts.join("\n");
+            const evalOptions = {
+                autoTune: true,
+                deepReview: deepReview ?? false,
+                confidenceFilter: confidenceFilter ?? 0.5,
+                filePath,
+                relatedFiles,
+                calibrate: true,
+            };
+            const verdict = evaluateWithTribunal(code, language, fullContext || undefined, evalOptions);
+            // Post-process: mark disputed findings
+            let findings = verdict.findings;
+            if (disputedRuleIds && disputedRuleIds.length > 0) {
+                const disputedSet = new Set(disputedRuleIds);
+                findings = findings.map((f) => {
+                    if (disputedSet.has(f.ruleId)) {
+                        return {
+                            ...f,
+                            confidence: Math.max(0.1, (f.confidence ?? 0.5) * 0.5),
+                            confidenceTier: "supplementary",
+                        };
+                    }
+                    return f;
+                });
+                // Re-filter after confidence adjustment
+                if (confidenceFilter) {
+                    findings = findings.filter((f) => (f.confidence ?? 0.5) >= confidenceFilter);
+                }
+            }
+            const sections = [];
+            sections.push(`# Re-Evaluation Results\n`);
+            sections.push(`**Verdict:** ${verdict.overallVerdict} · **Score:** ${verdict.overallScore}/100`);
+            sections.push(`**Findings:** ${findings.length} (after context adjustment)`);
+            if (verdict.autoTuneApplied) {
+                sections.push(`**Auto-tune:** ${verdict.autoTuneApplied.suppressed} suppressed, ${verdict.autoTuneApplied.downgraded} downgraded`);
+            }
+            if (verdict.confidenceFilterApplied) {
+                sections.push(`**Confidence filter:** ${verdict.confidenceFilterApplied.filteredOut} findings below ${Math.round(verdict.confidenceFilterApplied.threshold * 100)}% filtered out`);
+            }
+            if (findings.length > 0) {
+                sections.push(`\n## Findings\n`);
+                for (const f of findings) {
+                    const conf = f.confidence !== undefined && f.confidence !== null ? ` (${Math.round(f.confidence * 100)}%)` : "";
+                    const tier = f.confidenceTier ? ` [${f.confidenceTier}]` : "";
+                    sections.push(`- **${f.ruleId}** ${f.severity}${conf}${tier}: ${f.title}`);
+                }
+            }
+            if (disputedRuleIds && disputedRuleIds.length > 0) {
+                const stillPresent = findings.filter((f) => disputedRuleIds.includes(f.ruleId));
+                const resolved = disputedRuleIds.filter((id) => !findings.some((f) => f.ruleId === id));
+                if (resolved.length > 0) {
+                    sections.push(`\n## Disputed findings resolved\n`);
+                    sections.push(`The following disputed findings were dropped: ${resolved.join(", ")}`);
+                }
+                if (stillPresent.length > 0) {
+                    sections.push(`\n## Disputed findings retained\n`);
+                    sections.push(`The following remain with reduced confidence: ${stillPresent.map((f) => `${f.ruleId} (${Math.round((f.confidence ?? 0) * 100)}%)`).join(", ")}`);
+                }
+            }
+            const structured = {
+                overallVerdict: verdict.overallVerdict,
+                overallScore: verdict.overallScore,
+                findingCount: findings.length,
+                autoTuneApplied: verdict.autoTuneApplied ?? null,
+                confidenceFilterApplied: verdict.confidenceFilterApplied ?? null,
+                disputedResolved: disputedRuleIds?.filter((id) => !findings.some((f) => f.ruleId === id)) ?? [],
+                findings: findings.map((f) => ({
+                    ruleId: f.ruleId,
+                    severity: f.severity,
+                    confidence: f.confidence,
+                    confidenceTier: f.confidenceTier,
+                    title: f.title,
+                })),
+            };
+            const contentBlocks = [
+                { type: "text", text: sections.join("\n") },
+                { type: "text", text: "```json\n" + JSON.stringify(structured, null, 2) + "\n```" },
+            ];
+            if (verdict.deepReviewPrompt) {
+                contentBlocks.push({ type: "text", text: verdict.deepReviewPrompt });
+            }
+            return { content: contentBlocks };
+        }
+        catch (error) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: error instanceof Error ? `Error: ${error.message}` : "Error: Re-evaluation failed",
+                    },
+                ],
+                isError: true,
+            };
+        }
+    });
+}

package/dist/tools/register-workflow.js

@@ -8,6 +8,7 @@ import { evaluateProject, evaluateDiff, analyzeDependencies, runAppBuilderWorkfl
 import { evaluateFilesBatch } from "../api.js";
 import { getGlobalSession } from "../evaluation-session.js";
 import { generatePublicRepoReport } from "../reports/public-repo-report.js";
+import { evaluateGitDiff, evaluateUnifiedDiff } from "../git-diff.js";
 import { configSchema, toJudgesConfig } from "./schemas.js";
 import { validateCodeSize } from "./validation.js";
 import { benchmarkGate, formatBenchmarkReport, formatBenchmarkMarkdown, runBenchmarkSuite, } from "../commands/benchmark.js";
@@ -20,6 +21,7 @@ export function registerWorkflowTools(server) {
     registerAppBuilderFlow(server);
     registerEvaluateProject(server);
     registerEvaluateDiff(server);
+    registerEvaluateGitDiff(server);
     registerAnalyzeDependencies(server);
     registerBenchmarkGate(server);
     registerBenchmarkDashboard(server);
@@ -919,3 +921,111 @@ function registerRecordFeedback(server) {
         };
     });
 }
+// ─── evaluate_git_diff ───────────────────────────────────────────────────────
+function registerEvaluateGitDiff(server) {
+    server.tool("evaluate_git_diff", "Evaluate code changes from a git diff. Parses the unified diff from a git repository, identifies changed files and lines, and runs the full tribunal on each changed file — filtering findings to only those on changed lines. Supports both live git repos (provide repoPath + base ref) and pre-computed diffs (provide diffText).", {
+        repoPath: z
+            .string()
+            .optional()
+            .describe("Absolute path to the git repository. Required when not providing diffText."),
+        base: z
+            .string()
+            .optional()
+            .describe("Git ref to diff against (e.g., 'main', 'HEAD~1', 'origin/main'). Default: 'HEAD~1'"),
+        diffText: z
+            .string()
+            .optional()
+            .describe("Pre-computed unified diff text. When provided, repoPath is used only for reading file contents."),
+        confidenceFilter: z
+            .number()
+            .min(0)
+            .max(1)
+            .optional()
+            .describe("Minimum confidence threshold for findings (default: no filter)"),
+        autoTune: z
+            .boolean()
+            .optional()
+            .describe("Apply feedback-driven auto-tuning to reduce false positives (default: false)"),
+        config: configSchema,
+    }, async ({ repoPath, base, diffText, confidenceFilter, autoTune, config }) => {
+        try {
+            const evalOptions = {
+                confidenceFilter,
+                autoTune,
+                config: toJudgesConfig(config),
+            };
+            let result;
+            if (diffText) {
+                result = evaluateUnifiedDiff(diffText, repoPath ?? ".", evalOptions);
+            }
+            else if (repoPath) {
+                result = evaluateGitDiff(repoPath, base ?? "HEAD~1", evalOptions);
+            }
+            else {
+                return {
+                    content: [
+                        {
+                            type: "text",
+                            text: "Error: Provide either `repoPath` (for live git diff) or `diffText` (for pre-computed diff).",
+                        },
+                    ],
+                    isError: true,
+                };
+            }
+            let md = `# Git Diff Analysis\n\n`;
+            md += `**Files changed:** ${result.files.length}\n`;
+            md += `**Total findings:** ${result.totalFindings}\n\n`;
+            for (const file of result.files) {
+                md += `## ${file.filePath}\n`;
+                md += `**Verdict:** ${file.verdict.verdict} · **Score:** ${file.verdict.score}/100 · `;
+                md += `**Changed lines:** ${file.verdict.linesAnalyzed} · **Findings:** ${file.verdict.findings.length}\n\n`;
+                if (file.verdict.findings.length > 0) {
+                    for (const f of file.verdict.findings) {
+                        const conf = f.confidence !== undefined && f.confidence !== null ? ` (${Math.round(f.confidence * 100)}%)` : "";
+                        md += `- **${f.ruleId}** ${f.severity}${conf}: ${f.title}`;
+                        if (f.lineNumbers && f.lineNumbers.length > 0) {
+                            md += ` (L${f.lineNumbers.join(", L")})`;
+                        }
+                        md += `\n`;
+                    }
+                    md += `\n`;
+                }
+            }
+            const structured = {
+                filesAnalyzed: result.files.length,
+                totalFindings: result.totalFindings,
+                fileVerdicts: result.files.map((fv) => ({
+                    filePath: fv.filePath,
+                    verdict: fv.verdict.verdict,
+                    score: fv.verdict.score,
+                    changedLineCount: fv.verdict.linesAnalyzed,
+                    findingCount: fv.verdict.findings.length,
+                    findings: fv.verdict.findings.map((f) => ({
+                        ruleId: f.ruleId,
+                        severity: f.severity,
+                        confidence: f.confidence,
+                        title: f.title,
+                        lineNumbers: f.lineNumbers,
+                    })),
+                })),
+            };
+            return {
+                content: [
+                    { type: "text", text: md },
+                    { type: "text", text: "```json\n" + JSON.stringify(structured, null, 2) + "\n```" },
+                ],
+            };
+        }
+        catch (error) {
+            return {
+                content: [
+                    {
+                        type: "text",
+                        text: error instanceof Error ? `Error: ${error.message}` : "Error: Failed to evaluate git diff",
+                    },
+                ],
+                isError: true,
+            };
+        }
+    });
+}

package/dist/types.d.ts

@@ -670,6 +670,28 @@ export interface TribunalVerdict {
         /** Recommended action */
         recommendation: string;
     };
+    /**
+     * LLM deep-review prompt section. Present when `deepReview: true` is set
+     * in evaluation options. Contains a structured prompt that downstream LLM
+     * consumers can use for a second-pass analysis of the findings.
+     */
+    deepReviewPrompt?: string;
+    /**
+     * Auto-tune metadata. Present when `autoTune: true` is set and feedback
+     * data was applied. Records how many findings were suppressed or downgraded.
+     */
+    autoTuneApplied?: {
+        suppressed: number;
+        downgraded: number;
+    };
+    /**
+     * Confidence filter metadata. Present when `confidenceFilter` is set.
+     * Records how many findings were filtered out due to low confidence.
+     */
+    confidenceFilterApplied?: {
+        threshold: number;
+        filteredOut: number;
+    };
 }
 /**
  * Must-fix gate configuration for high-risk findings.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kevinrabun/judges",
-  "version": "3.117.8",
+  "version": "3.118.0",
   "description": "45 specialized judges that evaluate AI-generated code for security, cost, and quality.",
   "mcpName": "io.github.KevinRabun/judges",
   "type": "module",

package/server.json

@@ -7,12 +7,12 @@
     "url": "https://github.com/kevinrabun/judges",
     "source": "github"
   },
-  "version": "3.117.8",
+  "version": "3.118.0",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "@kevinrabun/judges",
-      "version": "3.117.8",
+      "version": "3.118.0",
       "transport": {
         "type": "stdio"
       }