@kevinrabun/judges 3.119.0 → 3.121.0

package/dist/evaluators/hallucination-detection.js

@@ -484,6 +484,349 @@ const HALLUCINATED_PATTERNS = [
         fix: "Verify the package exists on Maven Central/Gradle Plugin Portal. Use established alternatives from Spring Security, Apache Commons, or Bouncy Castle.",
         languages: ["java", "kotlin"],
     },
+    // ── Additional Node.js / JavaScript / TypeScript ──────────────────────
+    // crypto.hash() doesn't exist — it's crypto.createHash()
+    {
+        pattern: /\bcrypto\.hash\s*\(/,
+        hallucinated: "crypto.hash()",
+        reason: "Node.js crypto module has no hash() method. LLMs hallucinate a simplified API.",
+        fix: "Use crypto.createHash('sha256').update(data).digest('hex').",
+        languages: ["javascript", "typescript"],
+    },
+    // Promise.map/filter/timeout/retry/sequential — don't exist on native Promise
+    {
+        pattern: /\bPromise\.(?:map|filter|timeout|retry|sequential)\s*\(/,
+        hallucinated: "Promise.map/filter/timeout/retry/sequential()",
+        reason: "Native Promise has no map(), filter(), timeout(), retry(), or sequential() methods. LLMs hallucinate these from Bluebird or other promise libraries.",
+        fix: "Use Promise.all() with Array.map() for parallel, or implement custom retry/timeout logic.",
+        languages: ["javascript", "typescript"],
+    },
+    // Fake Node.js built-in submodules (node:url/validator, node:path/sanitize, etc.)
+    {
+        pattern: /\bfrom\s+['"]node:(?:url|path|net|tls|timers|util|worker_threads)\/\w+['"]/,
+        hallucinated: "Non-existent Node.js built-in submodule",
+        reason: "Node.js built-in modules do not have these submodule paths. LLMs fabricate submodule paths by combining real module names with plausible feature names.",
+        fix: "Import directly from the parent module (e.g., import { URL } from 'node:url').",
+        languages: ["javascript", "typescript"],
+    },
+    // os.getCpuUsagePercent / os.getMemoryUsagePercent / os.getDiskUsagePercent
+    {
+        pattern: /\bos\.(?:getCpuUsagePercent|getMemoryUsagePercent|getDiskUsagePercent)\s*\(/,
+        hallucinated: "os.getCpuUsagePercent/getMemoryUsagePercent/getDiskUsagePercent()",
+        reason: "Node.js os module has no percentage-based resource usage methods. LLMs fabricate convenient but non-existent APIs.",
+        fix: "Use os.cpus() for CPU info, os.freemem()/os.totalmem() for memory.",
+        languages: ["javascript", "typescript"],
+    },
+    // process.onUncaughtRejection / process.setMaxMemory / process.enableGracefulShutdown
+    {
+        pattern: /\bprocess\.(?:onUncaughtRejection|setMaxMemory|enableGracefulShutdown)\s*\(/,
+        hallucinated: "process.onUncaughtRejection/setMaxMemory/enableGracefulShutdown()",
+        reason: "Node.js process object does not have these methods. LLMs fabricate convenience APIs.",
+        fix: "Use process.on('unhandledRejection', handler). Use --max-old-space-size for memory. Implement graceful shutdown with process.on('SIGTERM').",
+        languages: ["javascript", "typescript"],
+    },
+    // Fake TypeScript utility types presented as built-in
+    {
+        pattern: /\b(?:StrictOmit|Validated|Frozen)\s*</,
+        hallucinated: "Non-existent TypeScript built-in utility type",
+        reason: "TypeScript does not have built-in StrictOmit, Validated, or Frozen utility types. LLMs hallucinate these as part of the standard type system.",
+        fix: "Use built-in types: Omit<T, K> for StrictOmit, Readonly<T> for Frozen. Define custom types for other needs.",
+        languages: ["typescript"],
+    },
+    // ── Additional Python ─────────────────────────────────────────────────
+    // requests.async_get/post/etc. — requests has no async methods
+    {
+        pattern: /\brequests\.async_(?:get|post|put|delete|patch)\s*\(/,
+        hallucinated: "requests.async_get()",
+        reason: "The requests library has no async methods. LLMs hallucinate async variants of the synchronous API.",
+        fix: "Use aiohttp or httpx for async HTTP: async with aiohttp.ClientSession() as s: await s.get(url).",
+        languages: ["python"],
+    },
+    // os.makedirs with permissions= parameter (should be mode=)
+    {
+        pattern: /\bos\.makedirs\s*\([^)]*\bpermissions\s*=/,
+        hallucinated: "os.makedirs(permissions=...)",
+        reason: "os.makedirs() uses 'mode=' for permissions, not 'permissions='. LLMs hallucinate a more readable parameter name.",
+        fix: "Use os.makedirs(path, mode=0o755, exist_ok=True).",
+        languages: ["python"],
+    },
+    // collections.OrderedDefaultDict doesn't exist
+    {
+        pattern: /\bfrom\s+collections\s+import\b.*\bOrderedDefaultDict\b/,
+        hallucinated: "collections.OrderedDefaultDict",
+        reason: "Python's collections module has no OrderedDefaultDict. LLMs fabricate this by combining OrderedDict and defaultdict.",
+        fix: "Use collections.OrderedDict or collections.defaultdict separately.",
+        languages: ["python"],
+    },
+    // typing.StrictDict doesn't exist
+    {
+        pattern: /\bfrom\s+typing\s+import\b.*\bStrictDict\b/,
+        hallucinated: "typing.StrictDict",
+        reason: "Python's typing module has no StrictDict. LLMs fabricate convenience types.",
+        fix: "Use typing.TypedDict for typed dicts or typing.Dict for generic dict hints.",
+        languages: ["python"],
+    },
+    // pathlib.SecurePath doesn't exist
+    {
+        pattern: /\bfrom\s+pathlib\s+import\b.*\bSecurePath\b/,
+        hallucinated: "pathlib.SecurePath",
+        reason: "Python's pathlib has no SecurePath class. LLMs fabricate security-focused variants.",
+        fix: "Use pathlib.Path and validate/sanitize paths manually.",
+        languages: ["python"],
+    },
+    // asyncio.ParallelMap doesn't exist
+    {
+        pattern: /\bfrom\s+asyncio\s+import\b.*\bParallelMap\b/,
+        hallucinated: "asyncio.ParallelMap",
+        reason: "Python's asyncio has no ParallelMap. LLMs fabricate parallel execution utilities.",
+        fix: "Use asyncio.gather(*[coro(x) for x in items]).",
+        languages: ["python"],
+    },
+    // json.schema doesn't exist in Python stdlib
+    {
+        pattern: /\bjson\.schema\b/,
+        hallucinated: "json.schema",
+        reason: "Python's json module has no schema submodule. LLMs conflate json with the jsonschema package.",
+        fix: "Install jsonschema: from jsonschema import validate.",
+        languages: ["python"],
+    },
+    // functools.memoize doesn't exist (it's lru_cache or cache)
+    {
+        pattern: /\bfrom\s+functools\s+import\b.*\bmemoize\b/,
+        hallucinated: "functools.memoize",
+        reason: "Python's functools has no memoize. LLMs hallucinate this from other languages.",
+        fix: "Use @functools.lru_cache(maxsize=128) or @functools.cache (Python 3.9+).",
+        languages: ["python"],
+    },
+    // ── Additional Java ───────────────────────────────────────────────────
+    // stream().filterMap() doesn't exist in Java (Rust concept)
+    {
+        pattern: /\.filterMap\s*\(/,
+        hallucinated: ".filterMap()",
+        reason: "Java Streams have no filterMap(). LLMs hallucinate this from Rust's filter_map().",
+        fix: "Use .filter(predicate).map(mapper) as two separate operations.",
+        languages: ["java"],
+        scopeCheckMethod: "filterMap",
+    },
+    // Stream.ofParallel() doesn't exist
+    {
+        pattern: /\bStream\.ofParallel\s*\(/,
+        hallucinated: "Stream.ofParallel()",
+        reason: "Java has no Stream.ofParallel(). LLMs fabricate this combining Stream.of() and parallelStream().",
+        fix: "Use collection.parallelStream() or Stream.of(...).parallel().",
+        languages: ["java"],
+    },
+    // Stream.zip() doesn't exist in Java stdlib
+    {
+        pattern: /\bStream\.zip\s*\(/,
+        hallucinated: "Stream.zip()",
+        reason: "Java Streams have no zip(). LLMs hallucinate this from Scala, Kotlin, or Python.",
+        fix: "Use IntStream.range() for manual zipping, or Guava's Streams.zip().",
+        languages: ["java"],
+    },
+    // .filterAsync() doesn't exist in Java Streams or C# LINQ
+    {
+        pattern: /\.filterAsync\s*\(/,
+        hallucinated: ".filterAsync()",
+        reason: "Neither Java Streams nor C# LINQ have filterAsync(). LLMs fabricate async variants.",
+        fix: "Use CompletableFuture with .filter() in Java, or async/await with Where() in C#.",
+        languages: ["java", "csharp"],
+        scopeCheckMethod: "filterAsync",
+    },
+    // Collectors.toUnmodifiableGroupingBy doesn't exist
+    {
+        pattern: /\bCollectors\.toUnmodifiableGroupingBy\s*\(/,
+        hallucinated: "Collectors.toUnmodifiableGroupingBy()",
+        reason: "Java has no Collectors.toUnmodifiableGroupingBy(). LLMs combine groupingBy() with unmodifiable concepts.",
+        fix: "Use Collectors.groupingBy() and wrap with Collections.unmodifiableMap().",
+        languages: ["java"],
+    },
+    // .groupByKey() on Java streams (Spark/Kotlin concept)
+    {
+        pattern: /\.groupByKey\s*\(/,
+        hallucinated: ".groupByKey()",
+        reason: "Java Streams have no groupByKey(). LLMs hallucinate this from Spark or Kotlin.",
+        fix: "Use .collect(Collectors.groupingBy(keyFunction)).",
+        languages: ["java"],
+        scopeCheckMethod: "groupByKey",
+    },
+    // .toConcurrentMap() terminal operation doesn't exist
+    {
+        pattern: /\.toConcurrentMap\s*\(\s*\)/,
+        hallucinated: ".toConcurrentMap()",
+        reason: "Java Streams have no .toConcurrentMap() terminal operation.",
+        fix: "Use .collect(Collectors.toConcurrentMap(keyMapper, valueMapper)).",
+        languages: ["java"],
+        scopeCheckMethod: "toConcurrentMap",
+    },
+    // ── Additional C# ────────────────────────────────────────────────────
+    // Fake LINQ extension methods
+    {
+        pattern: /\.(?:WhereAsync|BatchBy|ParallelSelect|FlattenAll|SortByMultiple|TakeWhileIncluding|SlidingWindow)\s*\(/,
+        hallucinated: "Non-existent LINQ extension method",
+        reason: "C# LINQ does not have WhereAsync, BatchBy, ParallelSelect, FlattenAll, SortByMultiple, TakeWhileIncluding, or SlidingWindow. LLMs hallucinate these extensions.",
+        fix: "Use standard LINQ: Where, Chunk (.NET 6+), AsParallel().Select, SelectMany, OrderBy.ThenBy, TakeWhile.",
+        languages: ["csharp"],
+    },
+    // ── Additional Go ─────────────────────────────────────────────────────
+    // 'implements' keyword in Go type constraints (Java/C# concept)
+    {
+        pattern: /\bimplements\s+\w+/,
+        hallucinated: "'implements' keyword in Go generics",
+        reason: "Go does not have an 'implements' keyword. LLMs hallucinate this from Java/C#.",
+        fix: "Use Go type constraints: [T comparable], [T constraints.Ordered], or define a constraint interface.",
+        languages: ["go"],
+    },
+    // ── Additional Patterns (Benchmark Gaps) ──────────────────────────────
+    // String.contains() doesn't exist in JS — Java confusion
+    {
+        pattern: /\.\bcontains\s*\(\s*(?:['"`]|[a-zA-Z_])/,
+        hallucinated: "String.contains()",
+        reason: "JavaScript strings have no .contains() method. This is a Java API hallucinated onto JS.",
+        fix: "Use .includes() instead of .contains().",
+        languages: ["javascript"],
+        scopeCheckMethod: "contains",
+    },
+    // crypto.signMessage() doesn't exist in Node.js
+    {
+        pattern: /\bcrypto\.signMessage\s*\(/,
+        hallucinated: "crypto.signMessage()",
+        reason: "Node.js crypto module has no signMessage() method.",
+        fix: "Use crypto.sign() or crypto.createSign() to sign data.",
+        languages: ["javascript", "typescript"],
+    },
+    // fetch().abort() — fetch returns a Promise, not an abortable request
+    {
+        pattern: /\.abort\s*\(\s*\)/,
+        hallucinated: "fetch().abort()",
+        reason: "fetch() returns a Promise, not an abortable request. There is no .abort() method on the returned value.",
+        fix: "Use AbortController: const controller = new AbortController(); fetch(url, { signal: controller.signal }); controller.abort();",
+        languages: ["javascript", "typescript"],
+        scopeCheckMethod: "abort",
+        requiresImport: "fetch",
+    },
+    // Python typing.Protocol.implements() doesn't exist
+    {
+        pattern: /\bProtocol\.implements\s*\(/,
+        hallucinated: "Protocol.implements()",
+        reason: "Python's typing.Protocol has no implements() class method. Protocol checking is structural.",
+        fix: "Use isinstance() with @runtime_checkable decorator, or rely on mypy/pyright for static checks.",
+        languages: ["python"],
+    },
+    // json.loads() on a file path — should be json.load(file_handle)
+    {
+        pattern: /\bjson\.loads\s*\(\s*(?:path|file_?path|config_?path|filename)\b/,
+        hallucinated: "json.loads(file_path)",
+        reason: "json.loads() parses a string, not a file path. LLMs confuse json.loads() with json.load().",
+        fix: "Use json.load(open(path)) or: with open(path) as f: data = json.load(f)",
+        languages: ["python"],
+    },
+    // Prisma fabricated methods
+    {
+        pattern: /\.groupByAndCount\s*\(/,
+        hallucinated: "prisma.model.groupByAndCount()",
+        reason: "Prisma has no groupByAndCount(). Use groupBy() with _count aggregation.",
+        fix: "Use prisma.model.groupBy({ by: ['field'], _count: true })",
+        languages: ["javascript", "typescript"],
+    },
+    {
+        pattern: /\.bulkUpsert\s*\(/,
+        hallucinated: "prisma.model.bulkUpsert()",
+        reason: "Prisma has no bulkUpsert(). Use createMany() or loop with upsert().",
+        fix: "Use prisma.model.createMany({ data: items }) or loop with prisma.model.upsert()",
+        languages: ["javascript", "typescript"],
+    },
+    {
+        pattern: /\.findManyOrThrow\s*\(/,
+        hallucinated: "prisma.model.findManyOrThrow()",
+        reason: "Prisma has findFirstOrThrow() and findUniqueOrThrow() but not findManyOrThrow().",
+        fix: "Use findMany() and check result length, or findFirstOrThrow() for single records.",
+        languages: ["javascript", "typescript"],
+    },
+    {
+        pattern: /\.softDelete\s*\(/,
+        hallucinated: "prisma.model.softDelete()",
+        reason: "Prisma has no built-in softDelete() method.",
+        fix: "Implement soft delete: prisma.model.update({ where: { id }, data: { deletedAt: new Date() } })",
+        languages: ["javascript", "typescript"],
+    },
+    // Rust std hallucinations
+    {
+        pattern: /\bget_or_default\s*\(/,
+        hallucinated: "HashMap.get_or_default()",
+        reason: "Rust HashMap has no get_or_default(). Java HashMap API hallucinated onto Rust.",
+        fix: "Use .entry(key).or_default() or .get(key).unwrap_or(&default).",
+        languages: ["rust"],
+    },
+    {
+        pattern: /\bVec::from_iter_parallel\b/,
+        hallucinated: "Vec::from_iter_parallel()",
+        reason: "Rust Vec has no from_iter_parallel() method.",
+        fix: "Use rayon: (0..1000).into_par_iter().map(|x| x * 2).collect()",
+        languages: ["rust"],
+    },
+    {
+        pattern: /\bArc::try_make_mut\b/,
+        hallucinated: "Arc::try_make_mut()",
+        reason: "Rust Arc has no try_make_mut(). Arc::make_mut() exists but requires Clone.",
+        fix: "Use Arc::make_mut() (clones if needed) or Arc::try_unwrap().",
+        languages: ["rust"],
+    },
+    {
+        pattern: /\btruncate_safe\s*\(/,
+        hallucinated: "String::truncate_safe()",
+        reason: "Rust String has no truncate_safe() method.",
+        fix: "Use .truncate(n) with char boundary check: if s.is_char_boundary(n) { s.truncate(n); }",
+        languages: ["rust"],
+    },
+    // secure_random crate doesn't exist in Rust
+    {
+        pattern: /\buse\s+secure_random\b/,
+        hallucinated: "secure_random crate",
+        reason: "There is no 'secure_random' crate. This is a fabricated crate name.",
+        fix: "Use the 'rand' crate with OsRng or ThreadRng for cryptographic randomness.",
+        languages: ["rust"],
+    },
+    // Java stream().toArray(Constructor::new) — wrong signature
+    {
+        pattern: /\.stream\(\)\.toArray\s*\(\s*\w+::new\s*\)/,
+        hallucinated: "stream().toArray(Constructor::new)",
+        reason: "Stream.toArray() takes an IntFunction<A[]> (e.g., String[]::new), not a constructor reference.",
+        fix: "Use .toArray(String[]::new) for typed arrays, or .toArray() for Object[].",
+        languages: ["java"],
+    },
+    // Fabricated npm packages (common webpack/build tool hallucinations)
+    {
+        pattern: /\brequire\s*\(\s*["']webpack-(?:auto-optimize|security-scan|smart-split)["']\s*\)/,
+        hallucinated: "webpack-auto-optimize / webpack-security-scan / webpack-smart-split",
+        reason: "These webpack plugins do not exist. LLMs fabricate plausible-sounding plugin names.",
+        fix: "Use real webpack plugins: TerserPlugin, BundleAnalyzerPlugin, SplitChunksPlugin (built-in).",
+        languages: ["javascript", "typescript"],
+    },
+    // Fabricated AWS SDK commands
+    {
+        pattern: /\b(?:SecurityScanCommand|AutoScaleCommand|WarmUpCommand)\b/,
+        hallucinated: "Fabricated AWS SDK commands",
+        reason: "SecurityScanCommand, AutoScaleCommand, WarmUpCommand do not exist in the AWS SDK.",
+        fix: "Use real AWS SDK commands: ListObjectsV2Command, PutItemCommand, InvokeCommand, etc.",
+        languages: ["javascript", "typescript"],
+    },
+    // Fabricated Octokit/GitHub API methods
+    {
+        pattern: /\.repos\.(?:getSecurityScore|getAICodeReview|getPerformanceMetrics)\s*\(/,
+        hallucinated: "Fabricated Octokit methods",
+        reason: "Octokit has no getSecurityScore(), getAICodeReview(), or getPerformanceMetrics() methods.",
+        fix: "Use real GitHub API endpoints: repos.get(), repos.listCommits(), repos.getContent(), etc.",
+        languages: ["javascript", "typescript"],
+    },
+    // Fabricated SQL functions
+    {
+        pattern: /\b(?:TOP_N|STRING_AGG_DISTINCT|FIRST_VALUE_IF|WEIGHTED_AVG|RUNNING_TOTAL|AUTO_BUCKET|FUZZY_MATCH|FILL_GAPS)\s*\(/i,
+        hallucinated: "Fabricated SQL functions",
+        reason: "TOP_N, STRING_AGG_DISTINCT, WEIGHTED_AVG, RUNNING_TOTAL, AUTO_BUCKET, FUZZY_MATCH, FILL_GAPS are not standard SQL functions.",
+        fix: "Use standard SQL: NTILE()/ROW_NUMBER(), STRING_AGG(), FIRST_VALUE() with FILTER, SUM() OVER(), WIDTH_BUCKET(), SIMILARITY() (PostgreSQL).",
+        languages: ["sql"],
+    },
 ];
 // ─── Suspicious Import Patterns ─────────────────────────────────────────────
 /**

package/dist/evaluators/index.d.ts

@@ -1,4 +1,4 @@
-import type { JudgeDefinition, JudgeEvaluation, TribunalVerdict, ProjectVerdict, DiffVerdict, Finding, MustFixGateOptions, JudgesConfig, SuppressionResult, StreamingBatch } from "../types.js";
+import type { JudgeDefinition, JudgeEvaluation, TribunalVerdict, ProjectVerdict, DiffVerdict, MustFixGateOptions, JudgesConfig, StreamingBatch } from "../types.js";
 import type { CodeStructure } from "../ast/types.js";
 import type { TaintFlow } from "../ast/taint-tracker.js";
 import { formatVerdictAsMarkdown, formatEvaluationAsMarkdown } from "./shared.js";
@@ -122,16 +122,7 @@ export declare function preWarmCaches(files: ReadonlyArray<{
     content: string;
     language: string;
 }>, optionsSuffix?: string): void;
-/**
- * Apply inline suppression comments and return both filtered findings
- * and a full audit trail of what was suppressed.
- */
-export declare function applyInlineSuppressionsWithAudit(findings: Finding[], code: string): SuppressionResult;
-/**
- * Filter findings based on inline suppression comments in the source code.
- * Drop-in backward-compatible wrapper around `applyInlineSuppressionsWithAudit`.
- */
-export declare function applyInlineSuppressions(findings: Finding[], code: string): Finding[];
+export { applyInlineSuppressions, applyInlineSuppressionsWithAudit } from "./suppressions.js";
 /**
  * Run a single judge against the provided code.
  */

package/dist/evaluators/index.js

@@ -201,187 +201,9 @@ function findMatchingTaintFlows(finding, flowsBySinkLine) {
     }
     return matched;
 }
-/**
- * Parsed result of inline suppression comments in source code.
- *
- * Supports five directive styles:
- *   // judges-ignore RULE-ID              → suppress on same line
- *   // judges-ignore-next-line RULE-ID    → suppress on the next line
- *   // judges-ignore-block RULE-ID        → suppress until matching end
- *   // judges-end-block                   → ends block suppression
- *   // judges-file-ignore RULE-ID         → suppress across entire file
- *
- * All directive styles also accept # and /* comment prefixes for
- * Python/YAML/CSS compatibility.
- *
- * An optional reason can be appended after " -- ":
- *   // judges-ignore SEC-001 -- legacy code, tracked in JIRA-123
- */
-function parseInlineSuppressions(code) {
-    const lines = code.split("\n");
-    const lineSuppressed = new Map();
-    const globalSuppressed = [];
-    // Active block suppressions: ruleId → { commentLine, reason }
-    const activeBlocks = new Map();
-    // Pattern: // judges-ignore[-next-line|-block] RULE-ID [, RULE-ID ...] [-- reason]
-    const endBlockPattern = /(?:\/\/|#|\/\*)\s*judges-end-block/i;
-    for (let i = 0; i < lines.length; i++) {
-        const line = lines[i];
-        const lineNum = i + 1; // 1-indexed
-        // Check for block-end
-        if (endBlockPattern.test(line)) {
-            activeBlocks.clear();
-        }
-        // Apply any active block suppressions to this line
-        for (const [ruleId, meta] of activeBlocks) {
-            const arr = lineSuppressed.get(lineNum) ?? [];
-            arr.push({ ruleId, kind: "block", commentLine: meta.commentLine, reason: meta.reason });
-            lineSuppressed.set(lineNum, arr);
-        }
-        // Parse suppression directives (string-based to avoid regex redos)
-        const ignoreIdx = line.indexOf("judges-ignore");
-        if (ignoreIdx >= 0) {
-            const before = line.substring(0, ignoreIdx).trimEnd();
-            if (before.endsWith("//") || before.endsWith("#") || before.endsWith("/*")) {
-                let rest = line.substring(ignoreIdx + "judges-ignore".length);
-                let modifier;
-                if (rest.toLowerCase().startsWith("-next-line")) {
-                    modifier = "next-line";
-                    rest = rest.substring("-next-line".length);
-                }
-                else if (rest.toLowerCase().startsWith("-block")) {
-                    modifier = "block";
-                    rest = rest.substring("-block".length);
-                }
-                const trimmedRest = rest.trimStart();
-                if (trimmedRest.length < rest.length && trimmedRest.length > 0) {
-                    let rawContent = trimmedRest;
-                    if (rawContent.trimEnd().endsWith("*/")) {
-                        rawContent = rawContent.replace("*/", "").trimEnd();
-                    }
-                    const dashSplit = rawContent.split(" -- ");
-                    const ruleIds = dashSplit[0].split(/[, \t]+/).filter(Boolean);
-                    const reason = dashSplit[1]?.trim() || undefined;
-                    const kind = modifier === "next-line" ? "next-line" : modifier === "block" ? "block" : "line";
-                    const targetLine = kind === "next-line" ? lineNum + 1 : lineNum;
-                    for (const rawId of ruleIds) {
-                        const ruleId = rawId === "*" ? "*" : rawId.toUpperCase();
-                        if (kind === "block") {
-                            // Start block suppression — applies to all subsequent lines until end-block
-                            activeBlocks.set(ruleId, { commentLine: lineNum, reason });
-                        }
-                        else {
-                            const arr = lineSuppressed.get(targetLine) ?? [];
-                            arr.push({ ruleId, kind, commentLine: lineNum, reason });
-                            lineSuppressed.set(targetLine, arr);
-                        }
-                    }
-                }
-            }
-        }
-        // File-level suppression: // judges-file-ignore RULE-ID [-- reason]
-        const fileIgnoreIdx = line.indexOf("judges-file-ignore");
-        if (fileIgnoreIdx >= 0) {
-            const beforeFile = line.substring(0, fileIgnoreIdx).trimEnd();
-            if (beforeFile.endsWith("//") || beforeFile.endsWith("#") || beforeFile.endsWith("/*")) {
-                const fileRest = line.substring(fileIgnoreIdx + "judges-file-ignore".length);
-                const fileTrimmedRest = fileRest.trimStart();
-                if (fileTrimmedRest.length < fileRest.length && fileTrimmedRest.length > 0) {
-                    let rawFileContent = fileTrimmedRest;
-                    if (rawFileContent.trimEnd().endsWith("*/")) {
-                        rawFileContent = rawFileContent.replace("*/", "").trimEnd();
-                    }
-                    const fileDashSplit = rawFileContent.split(" -- ");
-                    const ruleIds = fileDashSplit[0].split(/[, \t]+/).filter(Boolean);
-                    const reason = fileDashSplit[1]?.trim() || undefined;
-                    for (const rawId of ruleIds) {
-                        const ruleId = rawId === "*" ? "*" : rawId.toUpperCase();
-                        globalSuppressed.push({ ruleId, kind: "file", commentLine: lineNum, reason });
-                    }
-                }
-            }
-        }
-    }
-    return { lineSuppressed, globalSuppressed };
-}
-/**
- * Check whether a rule ID matches a set of suppression directives.
- * Supports exact match, wildcard "*", and prefix wildcards like "AUTH-*".
- */
-function matchesSuppression(ruleUpper, directives) {
-    for (const d of directives) {
-        if (d.ruleId === "*" || d.ruleId === ruleUpper) {
-            return d;
-        }
-        if (d.ruleId.endsWith("-*") && ruleUpper.startsWith(d.ruleId.slice(0, -1))) {
-            return d;
-        }
-    }
-    return undefined;
-}
-/**
- * Apply inline suppression comments and return both filtered findings
- * and a full audit trail of what was suppressed.
- */
-export function applyInlineSuppressionsWithAudit(findings, code) {
-    const { lineSuppressed, globalSuppressed } = parseInlineSuppressions(code);
-    if (lineSuppressed.size === 0 && globalSuppressed.length === 0) {
-        return { findings, suppressed: [] };
-    }
-    const kept = [];
-    const suppressed = [];
-    for (const f of findings) {
-        const ruleUpper = f.ruleId.toUpperCase();
-        // Check file-level suppression
-        const globalMatch = matchesSuppression(ruleUpper, globalSuppressed);
-        if (globalMatch) {
-            suppressed.push({
-                ruleId: f.ruleId,
-                severity: f.severity,
-                title: f.title,
-                kind: globalMatch.kind,
-                commentLine: globalMatch.commentLine,
-                findingLines: f.lineNumbers,
-                reason: globalMatch.reason,
-            });
-            continue;
-        }
-        // Check line-level suppressions
-        let wasLineSuppressed = false;
-        if (f.lineNumbers && f.lineNumbers.length > 0) {
-            for (const lineNum of f.lineNumbers) {
-                const directives = lineSuppressed.get(lineNum);
-                if (directives) {
-                    const lineMatch = matchesSuppression(ruleUpper, directives);
-                    if (lineMatch) {
-                        suppressed.push({
-                            ruleId: f.ruleId,
-                            severity: f.severity,
-                            title: f.title,
-                            kind: lineMatch.kind,
-                            commentLine: lineMatch.commentLine,
-                            findingLines: f.lineNumbers,
-                            reason: lineMatch.reason,
-                        });
-                        wasLineSuppressed = true;
-                        break;
-                    }
-                }
-            }
-        }
-        if (!wasLineSuppressed) {
-            kept.push(f);
-        }
-    }
-    return { findings: kept, suppressed };
-}
-/**
- * Filter findings based on inline suppression comments in the source code.
- * Drop-in backward-compatible wrapper around `applyInlineSuppressionsWithAudit`.
- */
-export function applyInlineSuppressions(findings, code) {
-    return applyInlineSuppressionsWithAudit(findings, code).findings;
-}
+// ── Inline suppression support (delegated to ./suppressions.ts) ─────────────
+export { applyInlineSuppressions, applyInlineSuppressionsWithAudit } from "./suppressions.js";
+import { applyInlineSuppressionsWithAudit } from "./suppressions.js";
 function resolveJudgeSet(options) {
     const includeAstFindings = options?.includeAstFindings ?? true;
     let judges = includeAstFindings ? JUDGES : JUDGES.filter((judge) => judge.id !== "code-structure");