@kevinrabun/judges 3.119.0 → 3.122.0

package/dist/evaluators/security.js

@@ -213,6 +213,16 @@ export function analyzeSecurity(code, language) {
                 /(?:req\.|request\.|params\.|query\.|body\.|args\.|input)/i.test(line)) {
                 ssrfLines.push(i + 1);
             }
+            // Java: new URL(userInput).openConnection() or URL constructed from request parameter
+            if (/\bnew\s+URL\s*\(/i.test(line) &&
+                /(?:req\.|request\.|getParameter|params|query|body|args|input)/i.test(line)) {
+                ssrfLines.push(i + 1);
+            }
+            // Ruby: URI.open / Kernel.open with user input
+            if (/\b(?:URI\.open|Kernel\.open|open\()\s*/i.test(line) &&
+                /(?:params\[|request\.|args|input|user|url)/i.test(line)) {
+                ssrfLines.push(i + 1);
+            }
             // Indirect: variable assigned from req, then used in fetch
             if (/\b(?:fetch|axios|http\.get|https\.get|requests\.get|requests\.request)\s*\(\s*(\w+)/i.test(line)) {
                 const match = line.match(/\b(?:fetch|axios|http\.get|requests\.get)\s*\(\s*(\w+)/i);
@@ -555,6 +565,16 @@ export function analyzeSecurity(code, language) {
                     cmdInjLines.push(i + 1);
                 }
             }
+            // Python subprocess with shell=True and user input
+            if (/\bsubprocess\.(?:run|call|Popen|check_output|check_call)\s*\(/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 5)).join("\n");
+                if (/shell\s*=\s*True/i.test(ctx)) {
+                    // Check for user input in the command string (f-string, format, concatenation)
+                    if (/(?:f["']|\$\{|\.format\s*\(|\+\s*\w|request\.|args\.get|params|query|body|input)/i.test(ctx)) {
+                        cmdInjLines.push(i + 1);
+                    }
+                }
+            }
             // PHP system/exec/passthru/shell_exec with user input variables
             if (/\b(?:system|exec|passthru|shell_exec|popen)\s*\(/i.test(line) &&
                 /\$_(?:GET|POST|REQUEST)\[|(?:\.\s*\$|\$\w+)/i.test(line)) {
@@ -689,10 +709,17 @@ export function analyzeSecurity(code, language) {
         const cryptoMiscLines = [];
         for (let i = 0; i < lines.length; i++) {
             const line = lines[i];
-            // Static/hardcoded IV
-            if (/(?:static\s*IV|\b(?:iv|IV)\b\s*[:=]\s*(?:\[\]byte\s*\(|["'[])|var\s+\w*[Ii][Vv]\s*=)/i.test(line)) {
+            // Static/hardcoded IV — matches variable names containing iv/IV with hardcoded values
+            if (/(?:static\s*IV|\b(?:iv|IV)\b\s*[:=]\s*(?:\[\]byte\s*\(|["'[])| var\s+\w*[Ii][Vv]\s*=)/i.test(line)) {
                 cryptoMiscLines.push(i + 1);
             }
+            // Broader IV detection: const/let/var STATIC_IV =, nonce = "...", etc.
+            if (/\b(?:const|let|var|val)\s+\w*(?:_iv|_IV|IV|Iv|_nonce|NONCE)\w*\s*=/.test(line)) {
+                // Must be assigned a hardcoded value (string, buffer, byte array)
+                if (/(?:Buffer\.from|new\s+Uint8Array|\[\]byte|"[^"]+"|'[^']+'|\[\s*\d)/.test(line)) {
+                    cryptoMiscLines.push(i + 1);
+                }
+            }
             // ECB-like mode: manual block-by-block encryption without chain/GCM
             if (/block\.Encrypt\s*\(/i.test(line)) {
                 const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 5)).join("\n");
@@ -700,6 +727,17 @@ export function analyzeSecurity(code, language) {
                     cryptoMiscLines.push(i + 1);
                 }
             }
+            // ECB mode explicitly selected
+            if (/['"](?:aes-\d+-ecb|ECB|DES-ECB|des-ecb)['"]|cipher\.NewCipher\b/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join("\n");
+                if (!/GCM|NewGCM|AEAD/i.test(ctx)) {
+                    cryptoMiscLines.push(i + 1);
+                }
+            }
+            // DES/3DES/RC4 usage (known broken ciphers)
+            if (/['"](?:des(?:-ede3)?(?:-cbc|-ecb)?|rc4|RC4)['"]|DES\.(?:encrypt|decrypt|new)/i.test(line)) {
+                cryptoMiscLines.push(i + 1);
+            }
         }
         const uniqueCrypto = [...new Set(cryptoMiscLines)].sort((a, b) => a - b);
         if (uniqueCrypto.length > 0) {
@@ -785,5 +823,191 @@ export function analyzeSecurity(code, language) {
             });
         }
     }
+    ruleNum++; // advance past SEC-022
+    // ── SEC-023: C/C++ unsafe memory functions ─────────────────────────────
+    if (lang === "cpp") {
+        const unsafeMemLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // strcpy, strcat, sprintf, gets, sscanf — no bounds checking
+            if (/\b(?:strcpy|strcat|sprintf|gets|sscanf|wcscpy|wcscat|swprintf)\s*\(/i.test(line)) {
+                unsafeMemLines.push(i + 1);
+            }
+            // memcpy with potentially unbounded size from user input
+            if (/\bmemcpy\s*\(/.test(line) && /sizeof\s*\(\s*\w+\s*\)/.test(line) === false) {
+                const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 2)).join("\n");
+                if (/strlen|input|user|request|param|argv|read/i.test(ctx)) {
+                    unsafeMemLines.push(i + 1);
+                }
+            }
+            // Use-after-free: free() followed by use of same pointer
+            if (/\bfree\s*\(\s*(\w+)\s*\)/.test(line)) {
+                const match = line.match(/\bfree\s*\(\s*(\w+)\s*\)/);
+                if (match) {
+                    const varName = match[1];
+                    const after = lines.slice(i + 1, Math.min(lines.length, i + 6)).join("\n");
+                    const useRe = new RegExp(`\\b${varName}\\b(?!\\s*=\\s*NULL|\\s*=\\s*nullptr|\\s*=\\s*0)`, "i");
+                    if (useRe.test(after)) {
+                        unsafeMemLines.push(i + 1);
+                    }
+                }
+            }
+        }
+        if (unsafeMemLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum).padStart(3, "0")}`,
+                severity: "critical",
+                title: "Unsafe memory functions without bounds checking",
+                description: "Functions like strcpy, gets, sprintf, and strcat perform no bounds checking and are primary sources of buffer overflow vulnerabilities. Use-after-free patterns also detected.",
+                lineNumbers: [...new Set(unsafeMemLines)].sort((a, b) => a - b),
+                recommendation: "Replace with bounds-checked alternatives: strncpy/strlcpy, snprintf, fgets, strncat. Set freed pointers to NULL. Consider using std::string in C++.",
+                reference: "CWE-120 / CWE-416",
+                suggestedFix: "strcpy(dest, src) → strncpy(dest, src, sizeof(dest)-1); gets(buf) → fgets(buf, sizeof(buf), stdin);",
+                confidence: 0.95,
+            });
+        }
+    }
+    ruleNum++; // advance past SEC-023
+    // ── SEC-024: NoSQL injection via unsanitized query objects ─────────────
+    {
+        const nosqlLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // MongoDB-style: collection.find/deleteMany/updateMany with raw user input
+            if (/\.(?:find|findOne|findOneAndUpdate|findOneAndDelete|updateOne|updateMany|deleteOne|deleteMany|aggregate|countDocuments)\s*\(/i.test(line)) {
+                // Direct user input in the function call
+                if (/(?:req\.body|req\.query|req\.params|request\.body|request\.args)/i.test(line)) {
+                    nosqlLines.push(i + 1);
+                }
+                // Indirect: check if the argument variable was assigned from user input
+                const match = line.match(/\.(?:find|findOne|findOneAndUpdate|findOneAndDelete|deleteMany|updateMany)\s*\(\s*(\w+)/i);
+                if (match && match[1]) {
+                    const varName = match[1];
+                    if (!/^['"`{[]/.test(varName) && !/^(?:null|undefined|true|false|\d)/.test(varName)) {
+                        const ctx = lines.slice(Math.max(0, i - 8), i).join("\n");
+                        const assignRe = new RegExp(`(?:const|let|var)\\s+${varName}\\s*=\\s*.*(?:req\\.body|req\\.query|req\\.params|request\\.body|request\\.args)`, "i");
+                        if (assignRe.test(ctx)) {
+                            nosqlLines.push(i + 1);
+                        }
+                    }
+                }
+            }
+            // MongoDB $where with string (code injection)
+            if (/\$where\s*:\s*['"`]/.test(line)) {
+                nosqlLines.push(i + 1);
+            }
+        }
+        if (nosqlLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum).padStart(3, "0")}`,
+                severity: "critical",
+                title: "NoSQL injection via unsanitized query object",
+                description: "User input is passed directly as a query filter to NoSQL database operations. Attackers can inject operators like $gt, $ne, or $where to bypass authentication or extract data.",
+                lineNumbers: [...new Set(nosqlLines)].sort((a, b) => a - b),
+                recommendation: "Validate and sanitize query objects. Use explicit field selection instead of passing raw request body. Strip MongoDB operators ($gt, $ne, $regex, $where) from user input.",
+                reference: "CWE-943",
+                suggestedFix: "const filter = { status: req.body.status }; // whitelist fields instead of: collection.find(req.body)",
+                confidence: 0.9,
+            });
+        }
+    }
+    ruleNum++; // advance past SEC-024
+    // ── SEC-025: CORS wildcard origin with credentials ─────────────────────
+    {
+        const corsLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // Python Flask-CORS: origins="*" + supports_credentials=True
+            if (/origins?\s*[:=]\s*["']\*["']/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 5)).join("\n");
+                if (/(?:supports_credentials|credentials)\s*[:=]\s*(?:True|true)/i.test(ctx)) {
+                    corsLines.push(i + 1);
+                }
+            }
+            // Express cors: origin: "*" + credentials: true
+            if (/origin\s*:\s*["']\*["']|origin\s*:\s*true/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 5), Math.min(lines.length, i + 5)).join("\n");
+                if (/credentials\s*:\s*true/i.test(ctx)) {
+                    corsLines.push(i + 1);
+                }
+            }
+            // Raw header: Access-Control-Allow-Origin: *
+            if (/Access-Control-Allow-Origin['":\s]*\*/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 3)).join("\n");
+                if (/Access-Control-Allow-Credentials['":\s]*true/i.test(ctx)) {
+                    corsLines.push(i + 1);
+                }
+            }
+        }
+        if (corsLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum).padStart(3, "0")}`,
+                severity: "high",
+                title: "CORS wildcard origin with credentials enabled",
+                description: "Setting Access-Control-Allow-Origin to '*' while enabling credentials is a dangerous misconfiguration. Browsers block this combination, but misconfigurations in server handling can still leak session cookies to arbitrary origins.",
+                lineNumbers: corsLines,
+                recommendation: "Use an explicit allowlist of origins instead of '*' when credentials are required. Validate the Origin header against trusted domains.",
+                reference: "CWE-346 / CWE-942",
+                suggestedFix: "Replace origin='*' with specific allowed origins: CORS(app, origins=['https://myapp.com'], supports_credentials=True)",
+                confidence: 0.9,
+            });
+        }
+    }
+    ruleNum++; // advance past SEC-025
+    // ── SEC-026: Elixir atom exhaustion from user input ────────────────────
+    {
+        const atomLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // String.to_atom or String.to_existing_atom from user input
+            if (/String\.to_atom\s*\(/i.test(line)) {
+                const ctx = lines.slice(Math.max(0, i - 3), Math.min(lines.length, i + 2)).join("\n");
+                if (/(?:params|conn\.params|request|body|query|input|assigns)/i.test(ctx)) {
+                    atomLines.push(i + 1);
+                }
+            }
+        }
+        if (atomLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum).padStart(3, "0")}`,
+                severity: "high",
+                title: "Atom exhaustion from uncontrolled user input",
+                description: "Converting user input to atoms via String.to_atom/1 can exhaust the atom table (atoms are never garbage collected), leading to a denial-of-service crash of the BEAM VM.",
+                lineNumbers: atomLines,
+                recommendation: "Use String.to_existing_atom/1 instead, which only converts to atoms that already exist. Alternatively, use a whitelist of allowed values.",
+                reference: "CWE-400",
+                suggestedFix: "String.to_atom(input) → String.to_existing_atom(input) or validate: if input in ~w(index show), do: ...",
+                confidence: 0.95,
+            });
+        }
+    }
+    ruleNum++; // advance past SEC-026
+    // ── SEC-027: Dynamic code execution (loadstring, eval equivalents) ─────
+    {
+        const dynCodeLines = [];
+        for (let i = 0; i < lines.length; i++) {
+            const line = lines[i];
+            // Lua: loadstring / load with user input (code execution)
+            if (/\b(?:loadstring|load)\s*\(\s*(\w+)/i.test(line)) {
+                const match = line.match(/\b(?:loadstring|load)\s*\(\s*(\w+)/i);
+                if (match && !/^['"`]/.test(match[1])) {
+                    dynCodeLines.push(i + 1);
+                }
+            }
+        }
+        if (dynCodeLines.length > 0) {
+            findings.push({
+                ruleId: `${prefix}-${String(ruleNum).padStart(3, "0")}`,
+                severity: "critical",
+                title: "Dynamic code execution with potentially untrusted input",
+                description: "Functions like loadstring (Lua) compile and execute strings as code. When called with untrusted input, attackers can execute arbitrary code on the server.",
+                lineNumbers: dynCodeLines,
+                recommendation: "Avoid loadstring/load with external input. Use a sandboxed environment or whitelist of allowed operations. Consider using a data-driven approach instead of code generation.",
+                reference: "CWE-94",
+                suggestedFix: "Replace loadstring(code) with a safe dispatch table: actions[command](args) using pre-defined functions.",
+                confidence: 0.85,
+            });
+        }
+    }
     return findings;
 }

package/dist/evaluators/suppressions.d.ts

@@ -0,0 +1,49 @@
+import type { Finding, SuppressionResult } from "../types.js";
+/**
+ * Metadata captured per suppression directive during parsing.
+ */
+export interface SuppressionDirective {
+    /** Normalised rule ID (uppercased) or "*" */
+    ruleId: string;
+    /** Type of directive that created this suppression */
+    kind: "line" | "next-line" | "block" | "file";
+    /** 1-based line number of the suppression comment itself */
+    commentLine: number;
+    /** Optional reason text extracted from the comment */
+    reason?: string;
+}
+/**
+ * Parsed result of inline suppression comments in source code.
+ *
+ * Supports five directive styles:
+ *   // judges-ignore RULE-ID              → suppress on same line
+ *   // judges-ignore-next-line RULE-ID    → suppress on the next line
+ *   // judges-ignore-block RULE-ID        → suppress until matching end
+ *   // judges-end-block                   → ends block suppression
+ *   // judges-file-ignore RULE-ID         → suppress across entire file
+ *
+ * All directive styles also accept # and /* comment prefixes for
+ * Python/YAML/CSS compatibility.
+ *
+ * An optional reason can be appended after " -- ":
+ *   // judges-ignore SEC-001 -- legacy code, tracked in JIRA-123
+ */
+export declare function parseInlineSuppressions(code: string): {
+    lineSuppressed: Map<number, SuppressionDirective[]>;
+    globalSuppressed: SuppressionDirective[];
+};
+/**
+ * Check whether a rule ID matches a set of suppression directives.
+ * Supports exact match, wildcard "*", and prefix wildcards like "AUTH-*".
+ */
+export declare function matchesSuppression(ruleUpper: string, directives: SuppressionDirective[]): SuppressionDirective | undefined;
+/**
+ * Apply inline suppression comments and return both filtered findings
+ * and a full audit trail of what was suppressed.
+ */
+export declare function applyInlineSuppressionsWithAudit(findings: Finding[], code: string): SuppressionResult;
+/**
+ * Filter findings based on inline suppression comments in the source code.
+ * Drop-in backward-compatible wrapper around `applyInlineSuppressionsWithAudit`.
+ */
+export declare function applyInlineSuppressions(findings: Finding[], code: string): Finding[];

package/dist/evaluators/suppressions.js

@@ -0,0 +1,185 @@
+// ── Inline suppression comment support ──────────────────────────────────────
+// Extracted from evaluators/index.ts to keep that file focused on
+// tribunal orchestration and scoring.
+// ────────────────────────────────────────────────────────────────────────────
+/**
+ * Parsed result of inline suppression comments in source code.
+ *
+ * Supports five directive styles:
+ *   // judges-ignore RULE-ID              → suppress on same line
+ *   // judges-ignore-next-line RULE-ID    → suppress on the next line
+ *   // judges-ignore-block RULE-ID        → suppress until matching end
+ *   // judges-end-block                   → ends block suppression
+ *   // judges-file-ignore RULE-ID         → suppress across entire file
+ *
+ * All directive styles also accept # and /* comment prefixes for
+ * Python/YAML/CSS compatibility.
+ *
+ * An optional reason can be appended after " -- ":
+ *   // judges-ignore SEC-001 -- legacy code, tracked in JIRA-123
+ */
+export function parseInlineSuppressions(code) {
+    const lines = code.split("\n");
+    const lineSuppressed = new Map();
+    const globalSuppressed = [];
+    // Active block suppressions: ruleId → { commentLine, reason }
+    const activeBlocks = new Map();
+    // Pattern: // judges-ignore[-next-line|-block] RULE-ID [, RULE-ID ...] [-- reason]
+    const endBlockPattern = /(?:\/\/|#|\/\*)\s*judges-end-block/i;
+    for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        const lineNum = i + 1; // 1-indexed
+        // Check for block-end
+        if (endBlockPattern.test(line)) {
+            activeBlocks.clear();
+        }
+        // Apply any active block suppressions to this line
+        for (const [ruleId, meta] of activeBlocks) {
+            const arr = lineSuppressed.get(lineNum) ?? [];
+            arr.push({ ruleId, kind: "block", commentLine: meta.commentLine, reason: meta.reason });
+            lineSuppressed.set(lineNum, arr);
+        }
+        // Parse suppression directives (string-based to avoid regex redos)
+        const ignoreIdx = line.indexOf("judges-ignore");
+        if (ignoreIdx >= 0) {
+            const before = line.substring(0, ignoreIdx).trimEnd();
+            if (before.endsWith("//") || before.endsWith("#") || before.endsWith("/*")) {
+                let rest = line.substring(ignoreIdx + "judges-ignore".length);
+                let modifier;
+                if (rest.toLowerCase().startsWith("-next-line")) {
+                    modifier = "next-line";
+                    rest = rest.substring("-next-line".length);
+                }
+                else if (rest.toLowerCase().startsWith("-block")) {
+                    modifier = "block";
+                    rest = rest.substring("-block".length);
+                }
+                const trimmedRest = rest.trimStart();
+                if (trimmedRest.length < rest.length && trimmedRest.length > 0) {
+                    let rawContent = trimmedRest;
+                    if (rawContent.trimEnd().endsWith("*/")) {
+                        rawContent = rawContent.replace("*/", "").trimEnd();
+                    }
+                    const dashSplit = rawContent.split(" -- ");
+                    const ruleIds = dashSplit[0].split(/[, \t]+/).filter(Boolean);
+                    const reason = dashSplit[1]?.trim() || undefined;
+                    const kind = modifier === "next-line" ? "next-line" : modifier === "block" ? "block" : "line";
+                    const targetLine = kind === "next-line" ? lineNum + 1 : lineNum;
+                    for (const rawId of ruleIds) {
+                        const ruleId = rawId === "*" ? "*" : rawId.toUpperCase();
+                        if (kind === "block") {
+                            // Start block suppression — applies to all subsequent lines until end-block
+                            activeBlocks.set(ruleId, { commentLine: lineNum, reason });
+                        }
+                        else {
+                            const arr = lineSuppressed.get(targetLine) ?? [];
+                            arr.push({ ruleId, kind, commentLine: lineNum, reason });
+                            lineSuppressed.set(targetLine, arr);
+                        }
+                    }
+                }
+            }
+        }
+        // File-level suppression: // judges-file-ignore RULE-ID [-- reason]
+        const fileIgnoreIdx = line.indexOf("judges-file-ignore");
+        if (fileIgnoreIdx >= 0) {
+            const beforeFile = line.substring(0, fileIgnoreIdx).trimEnd();
+            if (beforeFile.endsWith("//") || beforeFile.endsWith("#") || beforeFile.endsWith("/*")) {
+                const fileRest = line.substring(fileIgnoreIdx + "judges-file-ignore".length);
+                const fileTrimmedRest = fileRest.trimStart();
+                if (fileTrimmedRest.length < fileRest.length && fileTrimmedRest.length > 0) {
+                    let rawFileContent = fileTrimmedRest;
+                    if (rawFileContent.trimEnd().endsWith("*/")) {
+                        rawFileContent = rawFileContent.replace("*/", "").trimEnd();
+                    }
+                    const fileDashSplit = rawFileContent.split(" -- ");
+                    const ruleIds = fileDashSplit[0].split(/[, \t]+/).filter(Boolean);
+                    const reason = fileDashSplit[1]?.trim() || undefined;
+                    for (const rawId of ruleIds) {
+                        const ruleId = rawId === "*" ? "*" : rawId.toUpperCase();
+                        globalSuppressed.push({ ruleId, kind: "file", commentLine: lineNum, reason });
+                    }
+                }
+            }
+        }
+    }
+    return { lineSuppressed, globalSuppressed };
+}
+/**
+ * Check whether a rule ID matches a set of suppression directives.
+ * Supports exact match, wildcard "*", and prefix wildcards like "AUTH-*".
+ */
+export function matchesSuppression(ruleUpper, directives) {
+    for (const d of directives) {
+        if (d.ruleId === "*" || d.ruleId === ruleUpper) {
+            return d;
+        }
+        if (d.ruleId.endsWith("-*") && ruleUpper.startsWith(d.ruleId.slice(0, -1))) {
+            return d;
+        }
+    }
+    return undefined;
+}
+/**
+ * Apply inline suppression comments and return both filtered findings
+ * and a full audit trail of what was suppressed.
+ */
+export function applyInlineSuppressionsWithAudit(findings, code) {
+    const { lineSuppressed, globalSuppressed } = parseInlineSuppressions(code);
+    if (lineSuppressed.size === 0 && globalSuppressed.length === 0) {
+        return { findings, suppressed: [] };
+    }
+    const kept = [];
+    const suppressed = [];
+    for (const f of findings) {
+        const ruleUpper = f.ruleId.toUpperCase();
+        // Check file-level suppression
+        const globalMatch = matchesSuppression(ruleUpper, globalSuppressed);
+        if (globalMatch) {
+            suppressed.push({
+                ruleId: f.ruleId,
+                severity: f.severity,
+                title: f.title,
+                kind: globalMatch.kind,
+                commentLine: globalMatch.commentLine,
+                findingLines: f.lineNumbers,
+                reason: globalMatch.reason,
+            });
+            continue;
+        }
+        // Check line-level suppressions
+        let wasLineSuppressed = false;
+        if (f.lineNumbers && f.lineNumbers.length > 0) {
+            for (const lineNum of f.lineNumbers) {
+                const directives = lineSuppressed.get(lineNum);
+                if (directives) {
+                    const lineMatch = matchesSuppression(ruleUpper, directives);
+                    if (lineMatch) {
+                        suppressed.push({
+                            ruleId: f.ruleId,
+                            severity: f.severity,
+                            title: f.title,
+                            kind: lineMatch.kind,
+                            commentLine: lineMatch.commentLine,
+                            findingLines: f.lineNumbers,
+                            reason: lineMatch.reason,
+                        });
+                        wasLineSuppressed = true;
+                        break;
+                    }
+                }
+            }
+        }
+        if (!wasLineSuppressed) {
+            kept.push(f);
+        }
+    }
+    return { findings: kept, suppressed };
+}
+/**
+ * Filter findings based on inline suppression comments in the source code.
+ * Drop-in backward-compatible wrapper around `applyInlineSuppressionsWithAudit`.
+ */
+export function applyInlineSuppressions(findings, code) {
+    return applyInlineSuppressionsWithAudit(findings, code).findings;
+}

package/dist/ext-to-lang.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Canonical file-extension → language mapping.
+ *
+ * Single source of truth — every module that needs extension-based language
+ * detection should import from here instead of maintaining its own copy.
+ */
+export declare const EXT_TO_LANG: Record<string, string>;
+/** Set of all recognised source-code extensions (keys of EXT_TO_LANG). */
+export declare const SUPPORTED_EXTENSIONS: Set<string>;
+/**
+ * Detect language from a file path.
+ *
+ * Returns `undefined` when the extension is not recognised.
+ * Callers that need a default should coalesce: `detectLanguage(p) ?? "typescript"`.
+ */
+export declare function detectLanguageFromPath(filePath: string): string | undefined;

package/dist/ext-to-lang.js

@@ -0,0 +1,60 @@
+/**
+ * Canonical file-extension → language mapping.
+ *
+ * Single source of truth — every module that needs extension-based language
+ * detection should import from here instead of maintaining its own copy.
+ */
+import { extname } from "path";
+// ─── Extension → Language ───────────────────────────────────────────────────
+export const EXT_TO_LANG = {
+    ".ts": "typescript",
+    ".tsx": "typescript",
+    ".js": "javascript",
+    ".jsx": "javascript",
+    ".mjs": "javascript",
+    ".cjs": "javascript",
+    ".py": "python",
+    ".rs": "rust",
+    ".go": "go",
+    ".java": "java",
+    ".cs": "csharp",
+    ".rb": "ruby",
+    ".php": "php",
+    ".swift": "swift",
+    ".kt": "kotlin",
+    ".scala": "scala",
+    ".c": "c",
+    ".cc": "cpp",
+    ".cpp": "cpp",
+    ".cxx": "cpp",
+    ".h": "c",
+    ".hpp": "cpp",
+    ".yaml": "yaml",
+    ".yml": "yaml",
+    ".json": "json",
+    ".tf": "terraform",
+    ".hcl": "terraform",
+    ".dockerfile": "dockerfile",
+    ".sh": "bash",
+    ".bash": "bash",
+    ".ps1": "powershell",
+    ".psm1": "powershell",
+    ".dart": "dart",
+    ".sql": "sql",
+    ".bicep": "bicep",
+};
+/** Set of all recognised source-code extensions (keys of EXT_TO_LANG). */
+export const SUPPORTED_EXTENSIONS = new Set(Object.keys(EXT_TO_LANG));
+/**
+ * Detect language from a file path.
+ *
+ * Returns `undefined` when the extension is not recognised.
+ * Callers that need a default should coalesce: `detectLanguage(p) ?? "typescript"`.
+ */
+export function detectLanguageFromPath(filePath) {
+    const lower = filePath.toLowerCase();
+    if (lower.endsWith("dockerfile") || lower.includes("dockerfile."))
+        return "dockerfile";
+    const ext = extname(lower);
+    return EXT_TO_LANG[ext];
+}

package/dist/github-app.d.ts

@@ -101,8 +101,7 @@ interface WebhookResult {
     reviewPosted?: boolean;
     findingsCount?: number;
 }
-export declare const EXT_TO_LANG: Record<string, string>;
-export declare function detectLanguage(filePath: string): string | undefined;
+export { EXT_TO_LANG, detectLanguageFromPath as detectLanguage } from "./ext-to-lang.js";
 export declare function generateJwt(appId: string, privateKey: string): string;
 declare function ghApi(method: string, path: string, token: string, body?: unknown): Promise<{
     status: number;
@@ -151,4 +150,3 @@ export declare function startAppServer(config: GitHubAppConfig): void;
  * `judges app serve` — Start the GitHub App webhook server.
  */
 export declare function runAppCommand(args: string[]): void;
-export {};

package/dist/github-app.js

@@ -30,40 +30,8 @@ import { buildContextSnippets } from "./context/context-snippets.js";
 export let evaluateWithTribunalImpl = evaluateWithTribunal;
 export let evaluateProjectImpl = evaluateProject;
 // ─── Language Detection ─────────────────────────────────────────────────────
-export const EXT_TO_LANG = {
-    ".ts": "typescript",
-    ".tsx": "typescript",
-    ".js": "javascript",
-    ".jsx": "javascript",
-    ".mjs": "javascript",
-    ".cjs": "javascript",
-    ".py": "python",
-    ".rs": "rust",
-    ".go": "go",
-    ".java": "java",
-    ".cs": "csharp",
-    ".rb": "ruby",
-    ".php": "php",
-    ".swift": "swift",
-    ".kt": "kotlin",
-    ".tf": "terraform",
-    ".hcl": "terraform",
-    ".bicep": "bicep",
-    ".sh": "bash",
-    ".ps1": "powershell",
-    ".c": "c",
-    ".cpp": "cpp",
-    ".h": "c",
-    ".hpp": "cpp",
-    ".dart": "dart",
-    ".sql": "sql",
-};
-export function detectLanguage(filePath) {
-    const ext = filePath.toLowerCase().match(/\.[^.]+$/)?.[0] ?? "";
-    if (filePath.toLowerCase().includes("dockerfile"))
-        return "dockerfile";
-    return EXT_TO_LANG[ext];
-}
+export { EXT_TO_LANG, detectLanguageFromPath as detectLanguage } from "./ext-to-lang.js";
+import { detectLanguageFromPath as detectLanguage } from "./ext-to-lang.js";
 // ─── JWT Generation (RS256, no dependencies) ───────────────────────────────
 import { sign as cryptoSign, createPrivateKey } from "crypto";
 export function generateJwt(appId, privateKey) {

package/dist/parallel.js

@@ -11,22 +11,10 @@
  */
 import { cpus } from "os";
 import { readFileSync } from "fs";
-import { extname } from "path";
 // ─── Language Detection ─────────────────────────────────────────────────────
-const EXT_TO_LANG = {
-    ".ts": "typescript",
-    ".tsx": "typescript",
-    ".js": "javascript",
-    ".jsx": "javascript",
-    ".py": "python",
-    ".rs": "rust",
-    ".go": "go",
-    ".java": "java",
-    ".cs": "csharp",
-    ".cpp": "cpp",
-};
+import { detectLanguageFromPath } from "./ext-to-lang.js";
 export function detectLanguage(filePath) {
-    return EXT_TO_LANG[extname(filePath).toLowerCase()] || "typescript";
+    return detectLanguageFromPath(filePath) ?? "typescript";
 }
 // ─── Sequential (fallback) ──────────────────────────────────────────────────
 /**