@kevinrabun/judges 3.117.8 → 3.119.0

package/README.md

@@ -1098,6 +1098,36 @@ Analyze a dependency manifest file for supply-chain risks, version pinning issue
 | `manifestType` | string | yes | File type: `package.json`, `requirements.txt`, etc. |
 | `context` | string | no | Optional context |
 
+### `evaluate_git_diff`
+Evaluate only **changed lines** from a git diff. Provide either `repoPath` for a live git diff or `diffText` for a pre-computed unified diff.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `repoPath` | string | conditional | Absolute path to the git repository |
+| `base` | string | no | Git ref to diff against (default: `HEAD~1`) |
+| `diffText` | string | conditional | Pre-computed unified diff text |
+| `confidenceFilter` | number | no | Minimum confidence threshold for findings (0–1) |
+| `autoTune` | boolean | no | Apply feedback-driven auto-tuning (default: false) |
+| `maxPromptChars` | number | no | Max character budget for LLM prompts (default: 100000, 0 = unlimited) |
+| `config` | object | no | Inline configuration |
+
+### `re_evaluate_with_context`
+Re-run the tribunal with **prior findings as context** for iterative refinement. Supports dispute resolution, developer context injection, and focus-area filtering.
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `code` | string | yes | Source code to re-evaluate |
+| `language` | string | yes | Programming language |
+| `disputedRuleIds` | string[] | no | Rule IDs the developer disputes as false positives |
+| `acceptedRuleIds` | string[] | no | Rule IDs the developer accepts |
+| `developerContext` | string | no | Free-form explanation of developer intent |
+| `focusAreas` | string[] | no | Specific areas to focus on (e.g., `["security"]`) |
+| `confidenceFilter` | number | no | Minimum confidence threshold (default: 0.5) |
+| `filePath` | string | no | File path for context-aware evaluation |
+| `deepReview` | boolean | no | Include LLM deep-review prompt section |
+| `relatedFiles` | array | no | Cross-file context `{ path, snippet, relationship? }[]` |
+| `maxPromptChars` | number | no | Max character budget for LLM prompts (default: 100000, 0 = unlimited) |
+
 #### Judge IDs
 
 `data-security` · `cybersecurity` · `cost-effectiveness` · `scalability` · `cloud-readiness` · `software-practices` · `accessibility` · `api-design` · `reliability` · `observability` · `performance` · `compliance` · `data-sovereignty` · `testing` · `documentation` · `internationalization` · `dependency-health` · `concurrency` · `ethics-bias` · `maintainability` · `error-handling` · `authentication` · `database` · `caching` · `configuration-management` · `backwards-compatibility` · `portability` · `ux` · `logging-privacy` · `rate-limiting` · `ci-cd` · `code-structure` · `agent-instructions` · `ai-code-safety` · `framework-safety` · `iac-security` · `false-positive-review`

package/dist/api.d.ts

@@ -20,7 +20,7 @@ export { getPreset, composePresets, listPresets, PRESETS } from "./presets.js";
 export type { Preset } from "./presets.js";
 export { evaluateCodeV2, evaluateProjectV2, getSupportedPolicyProfiles } from "./evaluators/v2.js";
 export { analyzeCrossFileTaint } from "./ast/cross-file-taint.js";
-export { buildSingleJudgeDeepReviewSection, buildTribunalDeepReviewSection, buildSimplifiedDeepReviewSection, isContentPolicyRefusal, DEEP_REVIEW_PROMPT_INTRO, DEEP_REVIEW_IDENTITY, } from "./tools/deep-review.js";
+export { buildSingleJudgeDeepReviewSection, buildTribunalDeepReviewSection, buildSimplifiedDeepReviewSection, formatRelatedFilesSection, isContentPolicyRefusal, DEEP_REVIEW_PROMPT_INTRO, DEEP_REVIEW_IDENTITY, DEFAULT_MAX_PROMPT_CHARS, } from "./tools/deep-review.js";
 export type { RelatedFileSnippet } from "./tools/deep-review.js";
 export { getCondensedCriteria } from "./tools/prompts.js";
 export { parseDismissedFindings, recordL2Feedback, loadFeedbackStore, saveFeedbackStore, addFeedback, computeFeedbackStats, getFpRateByRule, mergeFeedbackStores, computeTeamFeedbackStats, formatTeamStatsOutput, } from "./commands/feedback.js";
@@ -161,3 +161,9 @@ export declare function evaluateFilesStream(files: FileInput[], options?: Evalua
 export declare function evaluateFilesBatch(files: FileInput[], concurrency?: number, options?: EvaluationOptions, onProgress?: (completed: number, total: number) => void): Promise<FileEvaluationResult[]>;
 export { handleWebhook, verifyWebhookSignature, loadAppConfig, startAppServer, runAppCommand } from "./github-app.js";
 export type { GitHubAppConfig } from "./github-app.js";
+export { evaluateGitDiff, evaluateUnifiedDiff, parseUnifiedDiffToChangedLines } from "./git-diff.js";
+export type { FileChangedLines, GitDiffVerdict } from "./git-diff.js";
+export { resolveImports, buildRelatedFilesContext } from "./import-resolver.js";
+export type { ResolvedImport, ImportResolutionResult } from "./import-resolver.js";
+export { applyAutoTune, generateAutoTuneReport, formatAutoTuneReport, formatAutoTuneReportJson } from "./auto-tune.js";
+export type { AutoTuneReport, AutoTuneOptions, AutoTuneAction } from "./auto-tune.js";

package/dist/api.js

@@ -27,7 +27,7 @@ export { evaluateCodeV2, evaluateProjectV2, getSupportedPolicyProfiles } from ".
 // ─── Cross-File Taint Analysis ───────────────────────────────────────────────
 export { analyzeCrossFileTaint } from "./ast/cross-file-taint.js";
 // ─── Deep Review Prompts ─────────────────────────────────────────────────────
-export { buildSingleJudgeDeepReviewSection, buildTribunalDeepReviewSection, buildSimplifiedDeepReviewSection, isContentPolicyRefusal, DEEP_REVIEW_PROMPT_INTRO, DEEP_REVIEW_IDENTITY, } from "./tools/deep-review.js";
+export { buildSingleJudgeDeepReviewSection, buildTribunalDeepReviewSection, buildSimplifiedDeepReviewSection, formatRelatedFilesSection, isContentPolicyRefusal, DEEP_REVIEW_PROMPT_INTRO, DEEP_REVIEW_IDENTITY, DEFAULT_MAX_PROMPT_CHARS, } from "./tools/deep-review.js";
 // ─── Prompt Utilities ────────────────────────────────────────────────────────
 export { getCondensedCriteria } from "./tools/prompts.js";
 // ─── Feedback & Calibration ─────────────────────────────────────────────────
@@ -187,3 +187,9 @@ export async function evaluateFilesBatch(files, concurrency = 4, options, onProg
 }
 // ─── GitHub App ──────────────────────────────────────────────────────────────
 export { handleWebhook, verifyWebhookSignature, loadAppConfig, startAppServer, runAppCommand } from "./github-app.js";
+// ─── Git Diff Evaluation ─────────────────────────────────────────────────────
+export { evaluateGitDiff, evaluateUnifiedDiff, parseUnifiedDiffToChangedLines } from "./git-diff.js";
+// ─── Cross-File Import Resolution ────────────────────────────────────────────
+export { resolveImports, buildRelatedFilesContext } from "./import-resolver.js";
+// ─── Auto-Tune (Feedback-Driven Calibration) ────────────────────────────────
+export { applyAutoTune, generateAutoTuneReport, formatAutoTuneReport, formatAutoTuneReportJson } from "./auto-tune.js";

package/dist/commands/watch.d.ts

@@ -7,11 +7,16 @@
  *   judges watch src/ --judge cyber       # Single judge only
  *   judges watch src/ --fail-on-findings  # Exit 1 on first failure
  */
+import { watch as fsWatch } from "fs";
 interface WatchArgs {
     path: string;
     judge: string | undefined;
     failOnFindings: boolean;
 }
 export declare function parseWatchArgs(argv: string[]): WatchArgs;
-export declare function runWatch(argv: string[]): void;
+export interface WatchOptions {
+    /** Override the fs.watch function (useful for testing). */
+    fsWatch?: typeof fsWatch;
+}
+export declare function runWatch(argv: string[], options?: WatchOptions): void;
 export {};

package/dist/commands/watch.js

@@ -126,8 +126,8 @@ function debounce(fn, ms) {
         timer = setTimeout(fn, ms);
     };
 }
-// ─── Main Watch Command ────────────────────────────────────────────────────
-export function runWatch(argv) {
+export function runWatch(argv, options) {
+    const watchFn = options?.fsWatch ?? fsWatch;
     const args = parseWatchArgs(argv);
     const target = resolve(args.path);
     if (!existsSync(target)) {
@@ -146,7 +146,7 @@ export function runWatch(argv) {
     const isDir = statSync(target).isDirectory();
     if (isDir) {
         // Watch directory recursively
-        const watcher = fsWatch(target, { recursive: true });
+        const watcher = watchFn(target, { recursive: true });
         watcher.on("change", (_event, filename) => {
             if (!filename)
                 return;
@@ -178,7 +178,7 @@ export function runWatch(argv) {
                 console.error(`  Error evaluating ${args.path}:`, err);
             }
         }, 300);
-        const watcher = fsWatch(target);
+        const watcher = watchFn(target);
         watcher.on("change", () => debouncedEval());
         // Run initial evaluation
         evaluateFile(target, detectLanguage(target), args.judge);

package/dist/evaluators/index.d.ts

@@ -59,6 +59,52 @@ export interface EvaluationOptions {
      * and improves performance. Defaults to false (run all judges).
      */
     adaptiveSelection?: boolean;
+    /**
+     * Enable automatic feedback-driven auto-tuning.
+     * When true, loads the feedback store and applies time-decay weighted
+     * auto-suppression (FP rate >= 80%), severity downgrading (50-80%),
+     * and confidence boosting (< 15%) without requiring `calibrate` to be set.
+     * Defaults to false. When both `autoTune` and `calibrate` are set,
+     * auto-tune runs first, then calibration refines further.
+     */
+    autoTune?: boolean;
+    /**
+     * Include deep-review prompt section in the verdict for LLM-augmented analysis.
+     * When true, appends the tribunal deep-review criteria to the verdict metadata
+     * so that downstream LLM consumers can perform contextual reasoning beyond
+     * pattern matching. This is the bridge between Layer 1 (deterministic) and
+     * Layer 2 (LLM) review.
+     */
+    deepReview?: boolean;
+    /**
+     * Related file snippets for cross-file deep-review context.
+     * When deepReview is enabled, these are included in the deep-review prompt
+     * to give the LLM visibility into imports, shared types, and call sites.
+     */
+    relatedFiles?: Array<{
+        path: string;
+        snippet: string;
+        relationship?: string;
+    }>;
+    /**
+     * Minimum confidence threshold for findings to appear in the output.
+     * Findings below this threshold are filtered out of the verdict.
+     * The verdict includes a `filteredCount` field showing how many were removed.
+     * Value range: 0-1 (e.g., 0.6 means only findings with >= 60% confidence appear).
+     */
+    confidenceFilter?: number;
+    /**
+     * Maximum character budget for LLM-facing prompt content.
+     * Controls truncation of:
+     * - Source code in deep-review prompts (truncated with summary when exceeded)
+     * - Related file snippets (array trimmed to fit budget)
+     * - Developer context strings (truncated)
+     *
+     * Defaults to 100_000 (~25K tokens). Set to 0 to disable all truncation
+     * (use with caution — large files can produce prompts that exceed model
+     * context windows and waste tokens).
+     */
+    maxPromptChars?: number;
     /** @internal — pre-computed AST structure for the file (set by evaluateWithTribunal) */
     _astCache?: CodeStructure;
     /** @internal — pre-computed taint flows for the file (set by evaluateWithTribunal) */

package/dist/evaluators/index.js

@@ -23,6 +23,8 @@ import { selectJudges } from "./judge-selector.js";
 import { getGlobalSession } from "../evaluation-session.js";
 import { evaluateEscalations, enhanceReviewWithEscalations } from "../escalation.js";
 import { applyRecallBoost } from "./recall-boost.js";
+import { buildTribunalDeepReviewSection } from "../tools/deep-review.js";
+import { detectProjectContext } from "./shared.js";
 // ── AST-aware post-processing ───────────────────────────────────────────────
 // ── Module-level caches for AST/taint results ───────────────────────────────
 const astStructureCache = new LRUCache(256);
@@ -634,6 +636,10 @@ export function evaluateWithTribunal(code, language, context, options) {
             ms: options.config?.minSeverity,
             jw: options.config?.judgeWeights,
             mfg: options.mustFixGate,
+            at: options.autoTune,
+            drev: options.deepReview,
+            cf: options.confidenceFilter,
+            rf: options.relatedFiles?.length,
         })
         : "";
     const hash = contentHash(code, language + optionsSuffix);
@@ -749,6 +755,7 @@ export function evaluateWithTribunal(code, language, context, options) {
     // 2. Severity downgrade for rules with FP rate 50-80%
     // 3. Confidence calibration based on historical FP rates
     let calibrated = configFiltered;
+    let autoTuneMetadata;
     if (enrichedOptions.calibrate) {
         try {
             const calOpts = typeof enrichedOptions.calibrate === "object" ? enrichedOptions.calibrate : undefined;
@@ -756,6 +763,7 @@ export function evaluateWithTribunal(code, language, context, options) {
             if (feedbackStore.entries.length > 0) {
                 const tuned = applyAutoTune(calibrated, feedbackStore);
                 calibrated = tuned.findings;
+                autoTuneMetadata = { suppressed: tuned.suppressed, downgraded: tuned.downgraded };
             }
             else {
                 // No feedback data — try plain calibration profile
@@ -769,6 +777,23 @@ export function evaluateWithTribunal(code, language, context, options) {
             // Calibration failure is non-fatal — continue with uncalibrated findings
         }
     }
+    else if (enrichedOptions.autoTune) {
+        // ── Standalone auto-tune (without full calibrate) ──
+        // Lightweight feedback-only tuning path: applies auto-suppression and
+        // severity downgrades from the feedback store without requiring a
+        // full calibration profile.
+        try {
+            const feedbackStore = loadFeedbackStore();
+            if (feedbackStore.entries.length > 0) {
+                const tuned = applyAutoTune(calibrated, feedbackStore);
+                calibrated = tuned.findings;
+                autoTuneMetadata = { suppressed: tuned.suppressed, downgraded: tuned.downgraded };
+            }
+        }
+        catch {
+            // Auto-tune failure is non-fatal
+        }
+    }
     // ── Auto-activate model-specific calibration profile ──
     // If the model-fingerprint judge detected a model, apply the model-specific
     // calibration profile automatically (when feedback data exists).
@@ -829,7 +854,20 @@ export function evaluateWithTribunal(code, language, context, options) {
     catch {
         // Session feedback calibration failure is non-fatal
     }
-    const cappedFindings = applyPerFileFindingCap(sessionAdjusted, maxFindings);
+    // ── Confidence-based output filtering ──
+    // When confidenceFilter is set, drop findings below the threshold entirely.
+    // This gives callers a first-class knob to control signal-to-noise ratio.
+    let confidenceFiltered = sessionAdjusted;
+    let confidenceFilteredOutCount = 0;
+    if (enrichedOptions.confidenceFilter !== undefined &&
+        enrichedOptions.confidenceFilter !== null &&
+        enrichedOptions.confidenceFilter > 0) {
+        const threshold = enrichedOptions.confidenceFilter;
+        const before = confidenceFiltered.length;
+        confidenceFiltered = confidenceFiltered.filter((f) => (f.confidence ?? 0.5) >= threshold);
+        confidenceFilteredOutCount = before - confidenceFiltered.length;
+    }
+    const cappedFindings = applyPerFileFindingCap(confidenceFiltered, maxFindings);
     // ── Confidence-based tiering for progressive disclosure ──
     // Tag each finding with a disclosure tier so downstream consumers (CLI,
     // formatters, VS Code extension) can show only high-confidence findings
@@ -882,6 +920,32 @@ export function evaluateWithTribunal(code, language, context, options) {
         },
         reviewDecision: synthesizeReviewDecision(enrichedFindings),
     };
+    // ── Deep review prompt attachment (P0.1) ──
+    // When deepReview is enabled, build and attach a structured LLM prompt
+    // section so downstream consumers can trigger a second-pass analysis.
+    if (enrichedOptions.deepReview) {
+        try {
+            const projectCtx = detectProjectContext(code, language, enrichedOptions.filePath);
+            const relatedSnippets = enrichedOptions.relatedFiles ?? [];
+            result.deepReviewPrompt = buildTribunalDeepReviewSection(judges, language, context, relatedSnippets.map((r) => ({ path: r.path, snippet: r.snippet, relationship: r.relationship })), projectCtx, enrichedOptions.maxPromptChars);
+        }
+        catch {
+            // Deep review prompt generation failure is non-fatal
+        }
+    }
+    // ── Attach auto-tune metadata ──
+    if (autoTuneMetadata) {
+        result.autoTuneApplied = autoTuneMetadata;
+    }
+    // ── Attach confidence filter metadata ──
+    if (enrichedOptions.confidenceFilter !== undefined &&
+        enrichedOptions.confidenceFilter !== null &&
+        confidenceFilteredOutCount > 0) {
+        result.confidenceFilterApplied = {
+            threshold: enrichedOptions.confidenceFilter,
+            filteredOut: confidenceFilteredOutCount,
+        };
+    }
     // ── AI model detection escalation ──
     // When the model-fingerprint judge (MFPR-* rules) fires, attach escalation
     // metadata so downstream consumers can trigger deeper review or add

package/dist/git-diff.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Native Git Diff Evaluation
+ *
+ * Integrates git diff parsing directly into the evaluation pipeline,
+ * eliminating the need for callers to manually compute changed lines.
+ *
+ * Provides:
+ * - `evaluateGitDiff()` — evaluates changed files in a git diff
+ * - `parseUnifiedDiffToChangedLines()` — extracts per-file changed lines from unified diff
+ */
+import type { DiffVerdict } from "./types.js";
+import type { EvaluationOptions } from "./evaluators/index.js";
+export interface FileChangedLines {
+    /** Relative file path */
+    filePath: string;
+    /** 1-based line numbers that were added or modified */
+    changedLines: number[];
+}
+export interface GitDiffVerdict {
+    /** Per-file diff verdicts */
+    files: Array<{
+        filePath: string;
+        language: string;
+        verdict: DiffVerdict;
+    }>;
+    /** Aggregate score across all files */
+    overallScore: number;
+    /** Aggregate finding count */
+    totalFindings: number;
+    /** Total changed lines analyzed */
+    totalLinesAnalyzed: number;
+    /** Files that were skipped (binary, too large, unreadable) */
+    skippedFiles: string[];
+    /** Summary */
+    summary: string;
+}
+/**
+ * Parse a unified diff to extract per-file changed line numbers.
+ * Handles standard `git diff` output format.
+ *
+ * Only tracks added/modified lines (lines starting with `+` in the diff),
+ * since those are the lines that need review.
+ */
+export declare function parseUnifiedDiffToChangedLines(diffText: string): FileChangedLines[];
+/**
+ * Evaluate changed files from a git diff.
+ *
+ * Runs `git diff` between the specified base and the working tree (or HEAD),
+ * parses the unified diff to extract per-file changed lines, reads each
+ * changed file, and evaluates only the changed lines.
+ *
+ * @param repoPath - Path to the git repository root
+ * @param base     - Base ref to diff against (e.g., "main", "HEAD~1", "origin/main")
+ * @param options  - Evaluation options passed to each file evaluation
+ * @returns Aggregate verdict across all changed files
+ */
+export declare function evaluateGitDiff(repoPath: string, base?: string, options?: EvaluationOptions): GitDiffVerdict;
+/**
+ * Evaluate a pre-computed diff string (e.g., from a PR webhook payload).
+ * Reads file content from the specified repo path.
+ */
+export declare function evaluateUnifiedDiff(diffText: string, repoPath: string, options?: EvaluationOptions): GitDiffVerdict;

package/dist/git-diff.js

@@ -0,0 +1,282 @@
+/**
+ * Native Git Diff Evaluation
+ *
+ * Integrates git diff parsing directly into the evaluation pipeline,
+ * eliminating the need for callers to manually compute changed lines.
+ *
+ * Provides:
+ * - `evaluateGitDiff()` — evaluates changed files in a git diff
+ * - `parseUnifiedDiffToChangedLines()` — extracts per-file changed lines from unified diff
+ */
+import { readFileSync } from "fs";
+import { resolve, extname } from "path";
+import { evaluateDiff } from "./evaluators/index.js";
+import { tryRunGit } from "./tools/command-safety.js";
+// ─── Diff Parsing ───────────────────────────────────────────────────────────
+/**
+ * Parse a unified diff to extract per-file changed line numbers.
+ * Handles standard `git diff` output format.
+ *
+ * Only tracks added/modified lines (lines starting with `+` in the diff),
+ * since those are the lines that need review.
+ */
+export function parseUnifiedDiffToChangedLines(diffText) {
+    const result = [];
+    let currentFile = "";
+    let currentLines = [];
+    for (const line of diffText.split("\n")) {
+        // Match file header: +++ b/path/to/file
+        if (line.startsWith("+++ b/")) {
+            // Save previous file if it had changes
+            if (currentFile && currentLines.length > 0) {
+                result.push({ filePath: currentFile, changedLines: currentLines });
+            }
+            currentFile = line.substring(6);
+            currentLines = [];
+            continue;
+        }
+        // Match hunk header: @@ -old,count +new,count @@
+        const hunkMatch = /^@@ -\d+(?:,\d+)? \+(\d+)(?:,(\d+))? @@/.exec(line);
+        if (hunkMatch && currentFile) {
+            const startLine = parseInt(hunkMatch[1], 10);
+            const lineCount = parseInt(hunkMatch[2] ?? "1", 10);
+            // Track which new-side lines are additions
+            // We track additions in the line-by-line scan below
+            void startLine;
+            void lineCount;
+            continue;
+        }
+        // Inside a hunk — no need to know startLine here, we track as we go
+    }
+    // Flush last file
+    if (currentFile && currentLines.length > 0) {
+        result.push({ filePath: currentFile, changedLines: currentLines });
+    }
+    // Re-parse with proper line tracking using a stateful approach
+    return parseWithLineTracking(diffText);
+}
+/**
+ * Internal: stateful parse that tracks actual added line numbers.
+ */
+function parseWithLineTracking(diffText) {
+    const result = [];
+    let currentFile = "";
+    let currentLines = [];
+    let newLineNum = 0;
+    let inHunk = false;
+    for (const line of diffText.split("\n")) {
+        // File header
+        if (line.startsWith("+++ b/")) {
+            if (currentFile && currentLines.length > 0) {
+                result.push({ filePath: currentFile, changedLines: [...currentLines] });
+            }
+            currentFile = line.substring(6);
+            currentLines = [];
+            inHunk = false;
+            continue;
+        }
+        // Hunk header
+        const hunkMatch = /^@@ -\d+(?:,\d+)? \+(\d+)(?:,\d+)? @@/.exec(line);
+        if (hunkMatch) {
+            newLineNum = parseInt(hunkMatch[1], 10);
+            inHunk = true;
+            continue;
+        }
+        if (!inHunk || !currentFile)
+            continue;
+        // Context line (present in both old and new)
+        if (line.startsWith(" ")) {
+            newLineNum++;
+            continue;
+        }
+        // Added line
+        if (line.startsWith("+")) {
+            currentLines.push(newLineNum);
+            newLineNum++;
+            continue;
+        }
+        // Removed line (only in old side — don't increment new line counter)
+        if (line.startsWith("-")) {
+            continue;
+        }
+        // Any other line (e.g., , or diff binary headers)
+        // ends the hunk
+        if (line.startsWith("diff ") || line.startsWith("index ") || line.startsWith("---")) {
+            inHunk = false;
+        }
+    }
+    // Flush last file
+    if (currentFile && currentLines.length > 0) {
+        result.push({ filePath: currentFile, changedLines: [...currentLines] });
+    }
+    return result;
+}
+// ─── Language Detection ─────────────────────────────────────────────────────
+const EXT_LANGUAGE_MAP = {
+    ".ts": "typescript",
+    ".tsx": "typescript",
+    ".js": "javascript",
+    ".jsx": "javascript",
+    ".mjs": "javascript",
+    ".cjs": "javascript",
+    ".py": "python",
+    ".rs": "rust",
+    ".go": "go",
+    ".java": "java",
+    ".cs": "csharp",
+    ".cpp": "cpp",
+    ".cc": "cpp",
+    ".cxx": "cpp",
+    ".c": "c",
+    ".h": "c",
+    ".hpp": "cpp",
+    ".php": "php",
+    ".rb": "ruby",
+    ".kt": "kotlin",
+    ".swift": "swift",
+    ".dart": "dart",
+    ".sql": "sql",
+    ".sh": "bash",
+    ".bash": "bash",
+    ".ps1": "powershell",
+    ".bicep": "bicep",
+    ".tf": "terraform",
+    ".json": "json",
+    ".yaml": "yaml",
+    ".yml": "yaml",
+};
+function detectLanguageFromPath(filePath) {
+    const ext = extname(filePath).toLowerCase();
+    return EXT_LANGUAGE_MAP[ext];
+}
+// ─── Git Diff Evaluation ────────────────────────────────────────────────────
+/**
+ * Evaluate changed files from a git diff.
+ *
+ * Runs `git diff` between the specified base and the working tree (or HEAD),
+ * parses the unified diff to extract per-file changed lines, reads each
+ * changed file, and evaluates only the changed lines.
+ *
+ * @param repoPath - Path to the git repository root
+ * @param base     - Base ref to diff against (e.g., "main", "HEAD~1", "origin/main")
+ * @param options  - Evaluation options passed to each file evaluation
+ * @returns Aggregate verdict across all changed files
+ */
+export function evaluateGitDiff(repoPath, base = "HEAD~1", options) {
+    // Get the unified diff
+    const diffOutput = tryRunGit(["diff", base, "--unified=0"], { cwd: repoPath });
+    if (diffOutput === null) {
+        return {
+            files: [],
+            overallScore: 100,
+            totalFindings: 0,
+            totalLinesAnalyzed: 0,
+            skippedFiles: [],
+            summary: "Could not run git diff — ensure git is installed and this is a git repository.",
+        };
+    }
+    if (diffOutput.trim().length === 0) {
+        return {
+            files: [],
+            overallScore: 100,
+            totalFindings: 0,
+            totalLinesAnalyzed: 0,
+            skippedFiles: [],
+            summary: "No changes detected between working tree and " + base,
+        };
+    }
+    const fileChanges = parseUnifiedDiffToChangedLines(diffOutput);
+    const fileVerdicts = [];
+    const skippedFiles = [];
+    for (const fc of fileChanges) {
+        const language = detectLanguageFromPath(fc.filePath);
+        if (!language) {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        const absolutePath = resolve(repoPath, fc.filePath);
+        let code;
+        try {
+            code = readFileSync(absolutePath, "utf-8");
+        }
+        catch {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        // Skip very large files
+        if (code.length > 300_000) {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        const verdict = evaluateDiff(code, language, fc.changedLines, undefined, {
+            ...options,
+            filePath: fc.filePath,
+        });
+        fileVerdicts.push({ filePath: fc.filePath, language, verdict });
+    }
+    const totalFindings = fileVerdicts.reduce((sum, fv) => sum + fv.verdict.findings.length, 0);
+    const totalLinesAnalyzed = fileVerdicts.reduce((sum, fv) => sum + fv.verdict.linesAnalyzed, 0);
+    const overallScore = fileVerdicts.length > 0
+        ? Math.round(fileVerdicts.reduce((sum, fv) => sum + fv.verdict.score, 0) / fileVerdicts.length)
+        : 100;
+    const summary = `Git diff analysis (${base}): ${fileVerdicts.length} file(s) analyzed, ` +
+        `${totalLinesAnalyzed} changed lines, ${totalFindings} finding(s), ` +
+        `score ${overallScore}/100` +
+        (skippedFiles.length > 0 ? ` (${skippedFiles.length} file(s) skipped)` : "");
+    return {
+        files: fileVerdicts,
+        overallScore,
+        totalFindings,
+        totalLinesAnalyzed,
+        skippedFiles,
+        summary,
+    };
+}
+/**
+ * Evaluate a pre-computed diff string (e.g., from a PR webhook payload).
+ * Reads file content from the specified repo path.
+ */
+export function evaluateUnifiedDiff(diffText, repoPath, options) {
+    const fileChanges = parseUnifiedDiffToChangedLines(diffText);
+    const fileVerdicts = [];
+    const skippedFiles = [];
+    for (const fc of fileChanges) {
+        const language = detectLanguageFromPath(fc.filePath);
+        if (!language) {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        const absolutePath = resolve(repoPath, fc.filePath);
+        let code;
+        try {
+            code = readFileSync(absolutePath, "utf-8");
+        }
+        catch {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        if (code.length > 300_000) {
+            skippedFiles.push(fc.filePath);
+            continue;
+        }
+        const verdict = evaluateDiff(code, language, fc.changedLines, undefined, {
+            ...options,
+            filePath: fc.filePath,
+        });
+        fileVerdicts.push({ filePath: fc.filePath, language, verdict });
+    }
+    const totalFindings = fileVerdicts.reduce((sum, fv) => sum + fv.verdict.findings.length, 0);
+    const totalLinesAnalyzed = fileVerdicts.reduce((sum, fv) => sum + fv.verdict.linesAnalyzed, 0);
+    const overallScore = fileVerdicts.length > 0
+        ? Math.round(fileVerdicts.reduce((sum, fv) => sum + fv.verdict.score, 0) / fileVerdicts.length)
+        : 100;
+    return {
+        files: fileVerdicts,
+        overallScore,
+        totalFindings,
+        totalLinesAnalyzed,
+        skippedFiles,
+        summary: `Diff analysis: ${fileVerdicts.length} file(s), ${totalLinesAnalyzed} changed lines, ` +
+            `${totalFindings} finding(s), score ${overallScore}/100`,
+    };
+}