@kevinrabun/judges 3.38.0 → 3.41.0

package/dist/commands/dep-audit.js

@@ -0,0 +1,278 @@
+/**
+ * `judges dep-audit` — Dependency vulnerability correlation.
+ *
+ * Correlates code-level findings with known vulnerabilities in project
+ * dependencies. Uses npm audit / pip audit output to enrich findings
+ * with CVE data, adding urgency context to code review.
+ *
+ * Usage:
+ *   judges dep-audit                             # Audit current directory
+ *   judges dep-audit --format json               # JSON output
+ *   judges dep-audit --correlate results.json     # Correlate with findings
+ */
+import { existsSync, readFileSync } from "fs";
+import { execSync } from "child_process";
+import { resolve, join } from "path";
+// ─── npm Audit ──────────────────────────────────────────────────────────────
+function runNpmAudit(dir) {
+    try {
+        const output = execSync("npm audit --json 2>/dev/null || true", {
+            cwd: dir,
+            encoding: "utf-8",
+            timeout: 30000,
+        });
+        const data = JSON.parse(output);
+        const vulns = [];
+        // npm audit v2 format (npm >= 7)
+        const advisories = (data.vulnerabilities || {});
+        for (const [name, info] of Object.entries(advisories)) {
+            const severity = mapNpmSeverity(info.severity);
+            const via = (info.via || []);
+            const cves = [];
+            const cwes = [];
+            let title = `Vulnerability in ${name}`;
+            let url;
+            for (const v of via) {
+                if (typeof v === "object" && v !== null) {
+                    if (v.cve)
+                        cves.push(v.cve);
+                    if (v.cwe) {
+                        const cweArr = Array.isArray(v.cwe) ? v.cwe : [v.cwe];
+                        cwes.push(...cweArr.map((c) => c));
+                    }
+                    if (v.title)
+                        title = v.title;
+                    if (v.url)
+                        url = v.url;
+                }
+            }
+            vulns.push({
+                name,
+                version: info.version || "unknown",
+                severity,
+                cves: [...new Set(cves)],
+                cwes: [...new Set(cwes)],
+                title,
+                url,
+                fixedIn: info.fixAvailable?.version,
+            });
+        }
+        return vulns;
+    }
+    catch {
+        return [];
+    }
+}
+function mapNpmSeverity(sev) {
+    switch (sev) {
+        case "critical":
+            return "critical";
+        case "high":
+            return "high";
+        case "moderate":
+            return "medium";
+        case "low":
+            return "low";
+        default:
+            return "info";
+    }
+}
+// ─── pip Audit ──────────────────────────────────────────────────────────────
+function runPipAudit(dir) {
+    try {
+        const output = execSync("pip-audit --format=json 2>/dev/null || python -m pip_audit --format=json 2>/dev/null || true", {
+            cwd: dir,
+            encoding: "utf-8",
+            timeout: 30000,
+        });
+        if (!output.trim().startsWith("["))
+            return [];
+        const data = JSON.parse(output);
+        return data
+            .filter((entry) => entry.vulns && Array.isArray(entry.vulns) && entry.vulns.length > 0)
+            .map((entry) => {
+            const vulnEntries = entry.vulns;
+            return {
+                name: entry.name,
+                version: entry.version,
+                severity: "high",
+                cves: vulnEntries.map((v) => v.id || "").filter(Boolean),
+                cwes: [],
+                title: `Vulnerability in ${entry.name}`,
+                fixedIn: vulnEntries[0]?.fix_versions,
+            };
+        });
+    }
+    catch {
+        return [];
+    }
+}
+// ─── Correlation Engine ─────────────────────────────────────────────────────
+/** CWE-to-rule mapping for correlating deps vulnerabilities with code findings */
+const CWE_TO_RULE_PREFIX = {
+    "CWE-79": ["SEC", "XSS"],
+    "CWE-89": ["SEC", "SQLI"],
+    "CWE-94": ["SEC"],
+    "CWE-78": ["SEC", "CMD"],
+    "CWE-22": ["SEC", "PATH"],
+    "CWE-611": ["SEC"],
+    "CWE-502": ["SEC"],
+    "CWE-200": ["DATA"],
+    "CWE-287": ["AUTH"],
+    "CWE-306": ["AUTH"],
+    "CWE-352": ["SEC", "CSRF"],
+    "CWE-918": ["SEC", "SSRF"],
+    "CWE-1321": ["SEC"],
+    "CWE-400": ["PERF", "DOS"],
+};
+function correlateVulnsWithFindings(vulns, findings) {
+    const correlations = [];
+    for (const vuln of vulns) {
+        const related = [];
+        for (const finding of findings) {
+            // Match by CWE
+            if (finding.cweIds && vuln.cwes.length > 0) {
+                const overlap = finding.cweIds.filter((cwe) => vuln.cwes.includes(cwe));
+                if (overlap.length > 0) {
+                    related.push({
+                        ruleId: finding.ruleId,
+                        title: finding.title,
+                        reason: `Shares CWE: ${overlap.join(", ")} with vulnerable dep ${vuln.name}`,
+                    });
+                    continue;
+                }
+            }
+            // Match by rule prefix → CWE category
+            for (const cwe of vuln.cwes) {
+                const prefixes = CWE_TO_RULE_PREFIX[cwe] || [];
+                if (prefixes.some((p) => finding.ruleId.startsWith(p))) {
+                    related.push({
+                        ruleId: finding.ruleId,
+                        title: finding.title,
+                        reason: `Code pattern (${finding.ruleId}) relates to ${cwe} in vulnerable dep ${vuln.name}`,
+                    });
+                    break;
+                }
+            }
+        }
+        if (related.length > 0) {
+            correlations.push({ vulnerability: vuln, relatedFindings: related });
+        }
+    }
+    return correlations;
+}
+// ─── Main Audit Function ────────────────────────────────────────────────────
+export function runDepAudit(dir, findings) {
+    let packageManager = "unknown";
+    let vulns = [];
+    // Detect and run audit
+    if (existsSync(join(dir, "package.json")) || existsSync(join(dir, "package-lock.json"))) {
+        packageManager = "npm";
+        vulns = runNpmAudit(dir);
+    }
+    else if (existsSync(join(dir, "requirements.txt")) ||
+        existsSync(join(dir, "pyproject.toml")) ||
+        existsSync(join(dir, "Pipfile"))) {
+        packageManager = "pip";
+        vulns = runPipAudit(dir);
+    }
+    const severityCounts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+    for (const v of vulns) {
+        severityCounts[v.severity]++;
+    }
+    const correlations = findings ? correlateVulnsWithFindings(vulns, findings) : [];
+    return {
+        packageManager,
+        vulnerabilities: vulns,
+        totalVulnerabilities: vulns.length,
+        severityCounts,
+        correlations,
+    };
+}
+// ─── CLI Runner ─────────────────────────────────────────────────────────────
+export function runDepAuditCommand(argv) {
+    if (argv.includes("--help") || argv.includes("-h")) {
+        console.log(`
+judges dep-audit — Dependency vulnerability correlation
+
+Usage:
+  judges dep-audit [dir]                        Audit dependencies
+  judges dep-audit --correlate results.json     Correlate with code findings
+  judges dep-audit --format json                JSON output
+
+Supports:
+  • npm (package.json / package-lock.json)
+  • pip (requirements.txt / pyproject.toml / Pipfile)
+
+Correlates dependency vulnerabilities with code findings by CWE mapping.
+
+Options:
+  --correlate <file>   Path to Judges JSON results file
+  --format <fmt>       Output format: text, json
+  --help, -h           Show this help
+`);
+        return;
+    }
+    const dir = argv.find((a, i) => i > 1 && !a.startsWith("-") && argv[i - 1] !== "--correlate" && argv[i - 1] !== "--format") ||
+        ".";
+    const format = argv.find((_a, i) => argv[i - 1] === "--format") || "text";
+    const correlatePath = argv.find((_a, i) => argv[i - 1] === "--correlate");
+    // Load findings for correlation if provided
+    let findings;
+    if (correlatePath && existsSync(correlatePath)) {
+        try {
+            const data = JSON.parse(readFileSync(correlatePath, "utf-8"));
+            findings = data.findings || [];
+        }
+        catch {
+            console.error(`Warning: Could not parse findings from ${correlatePath}`);
+        }
+    }
+    console.log(`\n  Running dependency audit in ${resolve(dir)}...\n`);
+    const result = runDepAudit(resolve(dir), findings);
+    if (format === "json") {
+        console.log(JSON.stringify(result, null, 2));
+        return;
+    }
+    // Text output
+    if (result.packageManager === "unknown") {
+        console.log("  No supported package manifest found (package.json, requirements.txt, etc.)\n");
+        return;
+    }
+    console.log(`  Package manager: ${result.packageManager}`);
+    console.log(`  Vulnerabilities: ${result.totalVulnerabilities}\n`);
+    if (result.totalVulnerabilities === 0) {
+        console.log("  ✅ No known vulnerabilities found.\n");
+        return;
+    }
+    // Severity breakdown
+    for (const sev of ["critical", "high", "medium", "low", "info"]) {
+        if (result.severityCounts[sev] > 0) {
+            console.log(`  ${sev.toUpperCase().padEnd(10)} ${result.severityCounts[sev]}`);
+        }
+    }
+    console.log("");
+    // Top vulnerabilities
+    for (const vuln of result.vulnerabilities.slice(0, 15)) {
+        const fixInfo = vuln.fixedIn ? ` → fix: ${vuln.fixedIn}` : "";
+        console.log(`  • [${vuln.severity.toUpperCase()}] ${vuln.name}@${vuln.version}: ${vuln.title}${fixInfo}`);
+        if (vuln.cves.length > 0) {
+            console.log(`    CVE: ${vuln.cves.join(", ")}`);
+        }
+    }
+    // Correlations
+    if (result.correlations.length > 0) {
+        console.log(`\n  ─── Code ↔ Dependency Correlations ───\n`);
+        for (const corr of result.correlations) {
+            console.log(`  📦 ${corr.vulnerability.name} (${corr.vulnerability.cves.join(", ")})`);
+            for (const rel of corr.relatedFindings) {
+                console.log(`    ↳ ${rel.ruleId}: ${rel.reason}`);
+            }
+        }
+    }
+    console.log("");
+    if (result.severityCounts.critical > 0 || result.severityCounts.high > 0) {
+        process.exit(1);
+    }
+}
+//# sourceMappingURL=dep-audit.js.map

package/dist/commands/dep-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dep-audit.js","sourceRoot":"","sources":["../../src/commands/dep-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAC9C,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAwCrC,+EAA+E;AAE/E,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,sCAAsC,EAAE;YAC9D,GAAG,EAAE,GAAG;YACR,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QAEH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAA4B,CAAC;QAC3D,MAAM,KAAK,GAAwB,EAAE,CAAC;QAEtC,iCAAiC;QACjC,MAAM,UAAU,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,EAAE,CAA4C,CAAC;QAC3F,KAAK,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,CAAC;YACtD,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,QAAkB,CAAC,CAAC;YACzD,MAAM,GAAG,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,EAAE,CAA4C,CAAC;YAExE,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,MAAM,IAAI,GAAa,EAAE,CAAC;YAC1B,IAAI,KAAK,GAAG,oBAAoB,IAAI,EAAE,CAAC;YACvC,IAAI,GAAuB,CAAC;YAE5B,KAAK,MAAM,CAAC,IAAI,GAAG,EAAE,CAAC;gBACpB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;oBACxC,IAAI,CAAC,CAAC,GAAG;wBAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,GAAa,CAAC,CAAC;oBACtC,IAAI,CAAC,CAAC,GAAG,EAAE,CAAC;wBACV,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;wBACtD,IAAI,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;oBAC7C,CAAC;oBACD,IAAI,CAAC,CAAC,KAAK;wBAAE,KAAK,GAAG,CAAC,CAAC,KAAe,CAAC;oBACvC,IAAI,CAAC,CAAC,GAAG;wBAAE,GAAG,GAAG,CAAC,CAAC,GAAa,CAAC;gBACnC,CAAC;YACH,CAAC;YAED,KAAK,CAAC,IAAI,CAAC;gBACT,IAAI;gBACJ,OAAO,EAAG,IAAI,CAAC,OAAkB,IAAI,SAAS;gBAC9C,QAAQ;gBACR,IAAI,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;gBACxB,IAAI,EAAE,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;gBACxB,KAAK;gBACL,GAAG;gBACH,OAAO,EAAG,IAAI,CAAC,YAAuC,EAAE,OAAO;aAChE,CAAC,CAAC;QACL,CAAC;QAED,OAAO,KAAK,CAAC;IACf,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,UAAU;YACb,OAAO,UAAU,CAAC;QACpB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,UAAU;YACb,OAAO,QAAQ,CAAC;QAClB,KAAK,KAAK;YACR,OAAO,KAAK,CAAC;QACf;YACE,OAAO,MAAM,CAAC;IAClB,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CACrB,8FAA8F,EAC9F;YACE,GAAG,EAAE,GAAG;YACR,QAAQ,EAAE,OAAO;YACjB,OAAO,EAAE,KAAK;SACf,CACF,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,OAAO,EAAE,CAAC;QAE9C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAmC,CAAC;QAClE,OAAO,IAAI;aACR,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAK,KAAK,CAAC,KAAwB,CAAC,MAAM,GAAG,CAAC,CAAC;aAC1G,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;YACb,MAAM,WAAW,GAAG,KAAK,CAAC,KAAsC,CAAC;YACjE,OAAO;gBACL,IAAI,EAAE,KAAK,CAAC,IAAc;gBAC1B,OAAO,EAAE,KAAK,CAAC,OAAiB;gBAChC,QAAQ,EAAE,MAAkB;gBAC5B,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC;gBACxD,IAAI,EAAE,EAAE;gBACR,KAAK,EAAE,oBAAoB,KAAK,CAAC,IAAI,EAAE;gBACvC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,EAAE,YAAY;aACtC,CAAC;QACJ,CAAC,CAAC,CAAC;IACP,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,+EAA+E;AAE/E,kFAAkF;AAClF,MAAM,kBAAkB,GAA6B;IACnD,QAAQ,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;IACxB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,CAAC,KAAK,CAAC;IACjB,QAAQ,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC;IACxB,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;IACzB,SAAS,EAAE,CAAC,KAAK,CAAC;IAClB,SAAS,EAAE,CAAC,KAAK,CAAC;IAClB,SAAS,EAAE,CAAC,MAAM,CAAC;IACnB,SAAS,EAAE,CAAC,MAAM,CAAC;IACnB,SAAS,EAAE,CAAC,MAAM,CAAC;IACnB,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,CAAC,KAAK,CAAC;IACnB,SAAS,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC;CAC3B,CAAC;AAEF,SAAS,0BAA0B,CAAC,KAA0B,EAAE,QAAmB;IACjF,MAAM,YAAY,GAAmC,EAAE,CAAC;IAExD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,OAAO,GAA6D,EAAE,CAAC;QAE7E,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,eAAe;YACf,IAAI,OAAO,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3C,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;gBACxE,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;oBACvB,OAAO,CAAC,IAAI,CAAC;wBACX,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;wBACpB,MAAM,EAAE,eAAe,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,wBAAwB,IAAI,CAAC,IAAI,EAAE;qBAC7E,CAAC,CAAC;oBACH,SAAS;gBACX,CAAC;YACH,CAAC;YAED,sCAAsC;YACtC,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;gBAC5B,MAAM,QAAQ,GAAG,kBAAkB,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;gBAC/C,IAAI,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;oBACvD,OAAO,CAAC,IAAI,CAAC;wBACX,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,KAAK,EAAE,OAAO,CAAC,KAAK;wBACpB,MAAM,EAAE,iBAAiB,OAAO,CAAC,MAAM,gBAAgB,GAAG,sBAAsB,IAAI,CAAC,IAAI,EAAE;qBAC5F,CAAC,CAAC;oBACH,MAAM;gBACR,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACvB,YAAY,CAAC,IAAI,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,eAAe,EAAE,OAAO,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,+EAA+E;AAE/E,MAAM,UAAU,WAAW,CAAC,GAAW,EAAE,QAAoB;IAC3D,IAAI,cAAc,GAAqC,SAAS,CAAC;IACjE,IAAI,KAAK,GAAwB,EAAE,CAAC;IAEpC,uBAAuB;IACvB,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,cAAc,CAAC,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC,EAAE,CAAC;QACxF,cAAc,GAAG,KAAK,CAAC;QACvB,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;SAAM,IACL,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,kBAAkB,CAAC,CAAC;QACzC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;QACvC,UAAU,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC,EAChC,CAAC;QACD,cAAc,GAAG,KAAK,CAAC;QACvB,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAED,MAAM,cAAc,GAA6B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACtG,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC;IAC/B,CAAC;IAED,MAAM,YAAY,GAAG,QAAQ,CAAC,CAAC,CAAC,0BAA0B,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAEjF,OAAO;QACL,cAAc;QACd,eAAe,EAAE,KAAK;QACtB,oBAAoB,EAAE,KAAK,CAAC,MAAM;QAClC,cAAc;QACd,YAAY;KACb,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E,MAAM,UAAU,kBAAkB,CAAC,IAAc;IAC/C,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;;;;;CAkBf,CAAC,CAAC;QACC,OAAO;IACT,CAAC;IAED,MAAM,GAAG,GACP,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,aAAa,IAAI,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC;QAC/G,GAAG,CAAC;IACN,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC,IAAI,MAAM,CAAC;IAC1E,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,aAAa,CAAC,CAAC;IAE1E,4CAA4C;IAC5C,IAAI,QAA+B,CAAC;IACpC,IAAI,aAAa,IAAI,UAAU,CAAC,aAAa,CAAC,EAAE,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC,CAAC;YAC9D,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;QACjC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,CAAC,KAAK,CAAC,0CAA0C,aAAa,EAAE,CAAC,CAAC;QAC3E,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,mCAAmC,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,WAAW,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,QAAQ,CAAC,CAAC;IAEnD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC7C,OAAO;IACT,CAAC;IAED,cAAc;IACd,IAAI,MAAM,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC;QAC9F,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,cAAc,EAAE,CAAC,CAAC;IAC3D,OAAO,CAAC,GAAG,CAAC,sBAAsB,MAAM,CAAC,oBAAoB,IAAI,CAAC,CAAC;IAEnE,IAAI,MAAM,CAAC,oBAAoB,KAAK,CAAC,EAAE,CAAC;QACtC,OAAO,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;QACrD,OAAO;IACT,CAAC;IAED,qBAAqB;IACrB,KAAK,MAAM,GAAG,IAAI,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAe,EAAE,CAAC;QAC9E,IAAI,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC;YACnC,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,WAAW,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,IAAI,MAAM,CAAC,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,sBAAsB;IACtB,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;QACvD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,IAAI,CAAC,KAAK,GAAG,OAAO,EAAE,CAAC,CAAC;QAC1G,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,OAAO,CAAC,GAAG,CAAC,YAAY,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAClD,CAAC;IACH,CAAC;IAED,eAAe;IACf,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,OAAO,CAAC,GAAG,CAAC,8CAA8C,CAAC,CAAC;QAC5D,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YACvC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACvF,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;gBACvC,OAAO,CAAC,GAAG,CAAC,SAAS,GAAG,CAAC,MAAM,KAAK,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAEhB,IAAI,MAAM,CAAC,cAAc,CAAC,QAAQ,GAAG,CAAC,IAAI,MAAM,CAAC,cAAc,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACzE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/commands/deprecated.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Rule deprecation lifecycle management.
+ *
+ * Provides a registry of deprecated Judges rules with migration guidance,
+ * sunset dates, and replacement rules. Emits warnings when deprecated
+ * rules appear in findings or config.
+ *
+ * Usage:
+ *   judges deprecated                        # List all deprecated rules
+ *   judges deprecated --check .judgesrc      # Check config for deprecated rules
+ *   judges deprecated --format json          # JSON output
+ */
+export interface DeprecatedRule {
+    /** The deprecated rule ID */
+    ruleId: string;
+    /** When it was deprecated (version) */
+    deprecatedIn: string;
+    /** When it will be removed (version, or "TBD") */
+    removedIn: string;
+    /** Why it was deprecated */
+    reason: string;
+    /** Replacement rule(s), if any */
+    replacements: string[];
+    /** Migration guidance */
+    migration: string;
+}
+export interface DeprecationWarning {
+    ruleId: string;
+    location: "config" | "finding";
+    message: string;
+    replacements: string[];
+}
+export declare function getDeprecatedRules(): DeprecatedRule[];
+export declare function isRuleDeprecated(ruleId: string): DeprecatedRule | undefined;
+/**
+ * Check a config for references to deprecated rules.
+ * Scans disabledRules, ruleOverrides, and customRules.
+ */
+export declare function checkConfigForDeprecated(config: Record<string, unknown>): DeprecationWarning[];
+/**
+ * Check findings for deprecated rules and annotate them.
+ */
+export declare function annotateDeprecatedFindings(findings: Array<{
+    ruleId: string;
+    [key: string]: unknown;
+}>): DeprecationWarning[];
+export declare function runDeprecatedCommand(argv: string[]): void;
+//# sourceMappingURL=deprecated.d.ts.map

package/dist/commands/deprecated.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"deprecated.d.ts","sourceRoot":"","sources":["../../src/commands/deprecated.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,MAAM,WAAW,cAAc;IAC7B,6BAA6B;IAC7B,MAAM,EAAE,MAAM,CAAC;IACf,uCAAuC;IACvC,YAAY,EAAE,MAAM,CAAC;IACrB,kDAAkD;IAClD,SAAS,EAAE,MAAM,CAAC;IAClB,4BAA4B;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,kCAAkC;IAClC,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,yBAAyB;IACzB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,QAAQ,GAAG,SAAS,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAoDD,wBAAgB,kBAAkB,IAAI,cAAc,EAAE,CAErD;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS,CAE3E;AAED;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,kBAAkB,EAAE,CA8C9F;AAED;;GAEG;AACH,wBAAgB,0BAA0B,CACxC,QAAQ,EAAE,KAAK,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CAAE,CAAC,GAC1D,kBAAkB,EAAE,CAmBtB;AAID,wBAAgB,oBAAoB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CA6EzD"}

package/dist/commands/deprecated.js

@@ -0,0 +1,202 @@
+/**
+ * Rule deprecation lifecycle management.
+ *
+ * Provides a registry of deprecated Judges rules with migration guidance,
+ * sunset dates, and replacement rules. Emits warnings when deprecated
+ * rules appear in findings or config.
+ *
+ * Usage:
+ *   judges deprecated                        # List all deprecated rules
+ *   judges deprecated --check .judgesrc      # Check config for deprecated rules
+ *   judges deprecated --format json          # JSON output
+ */
+// ─── Deprecated Rules Registry ──────────────────────────────────────────────
+const DEPRECATED_RULES = [
+    {
+        ruleId: "SEC-EVAL-001",
+        deprecatedIn: "3.10.0",
+        removedIn: "4.0.0",
+        reason: "Merged into SEC-INJ-001 for unified injection detection",
+        replacements: ["SEC-INJ-001"],
+        migration: "Replace SEC-EVAL-001 references in ruleOverrides with SEC-INJ-001. The new rule covers eval(), Function(), and other injection vectors.",
+    },
+    {
+        ruleId: "PERF-LOOP-001",
+        deprecatedIn: "3.15.0",
+        removedIn: "4.0.0",
+        reason: "Superseded by the more comprehensive PERF-COMPLEXITY-001 which covers loops, recursion, and algorithmic complexity",
+        replacements: ["PERF-COMPLEXITY-001"],
+        migration: "Update ruleOverrides to use PERF-COMPLEXITY-001. The new rule has more granular severity options.",
+    },
+    {
+        ruleId: "DOC-INLINE-001",
+        deprecatedIn: "3.20.0",
+        removedIn: "4.0.0",
+        reason: "Split into DOC-FUNC-001 (function docs) and DOC-CLASS-001 (class docs) for more targeted analysis",
+        replacements: ["DOC-FUNC-001", "DOC-CLASS-001"],
+        migration: "Replace DOC-INLINE-001 in ruleOverrides with DOC-FUNC-001 and/or DOC-CLASS-001 depending on your needs.",
+    },
+    {
+        ruleId: "DATA-PII-001",
+        deprecatedIn: "3.25.0",
+        removedIn: "4.0.0",
+        reason: "Replaced by DATA-001 which includes PII detection alongside other sensitive data patterns",
+        replacements: ["DATA-001"],
+        migration: "Update references from DATA-PII-001 to DATA-001. The new rule has broader coverage.",
+    },
+    {
+        ruleId: "SEC-CRYPTO-WEAK",
+        deprecatedIn: "3.30.0",
+        removedIn: "4.0.0",
+        reason: "Renamed to SEC-CRYPTO-001 for consistent naming convention",
+        replacements: ["SEC-CRYPTO-001"],
+        migration: "Simply rename SEC-CRYPTO-WEAK to SEC-CRYPTO-001 in all config references.",
+    },
+];
+// ─── Registry API ───────────────────────────────────────────────────────────
+export function getDeprecatedRules() {
+    return [...DEPRECATED_RULES];
+}
+export function isRuleDeprecated(ruleId) {
+    return DEPRECATED_RULES.find((r) => r.ruleId === ruleId);
+}
+/**
+ * Check a config for references to deprecated rules.
+ * Scans disabledRules, ruleOverrides, and customRules.
+ */
+export function checkConfigForDeprecated(config) {
+    const warnings = [];
+    // Check disabledRules
+    const disabled = (config.disabledRules || []);
+    for (const ruleId of disabled) {
+        const dep = isRuleDeprecated(ruleId);
+        if (dep) {
+            warnings.push({
+                ruleId,
+                location: "config",
+                message: `disabledRules contains deprecated rule "${ruleId}" (deprecated in v${dep.deprecatedIn}). ${dep.migration}`,
+                replacements: dep.replacements,
+            });
+        }
+    }
+    // Check ruleOverrides keys
+    const overrides = (config.ruleOverrides || {});
+    for (const ruleId of Object.keys(overrides)) {
+        const dep = isRuleDeprecated(ruleId);
+        if (dep) {
+            warnings.push({
+                ruleId,
+                location: "config",
+                message: `ruleOverrides references deprecated rule "${ruleId}" (deprecated in v${dep.deprecatedIn}). ${dep.migration}`,
+                replacements: dep.replacements,
+            });
+        }
+    }
+    // Check lockedRules
+    const locked = (config.lockedRules || []);
+    for (const ruleId of locked) {
+        const dep = isRuleDeprecated(ruleId);
+        if (dep) {
+            warnings.push({
+                ruleId,
+                location: "config",
+                message: `lockedRules contains deprecated rule "${ruleId}" (deprecated in v${dep.deprecatedIn}). ${dep.migration}`,
+                replacements: dep.replacements,
+            });
+        }
+    }
+    return warnings;
+}
+/**
+ * Check findings for deprecated rules and annotate them.
+ */
+export function annotateDeprecatedFindings(findings) {
+    const warnings = [];
+    const seen = new Set();
+    for (const finding of findings) {
+        if (seen.has(finding.ruleId))
+            continue;
+        const dep = isRuleDeprecated(finding.ruleId);
+        if (dep) {
+            seen.add(finding.ruleId);
+            warnings.push({
+                ruleId: finding.ruleId,
+                location: "finding",
+                message: `Rule "${finding.ruleId}" is deprecated since v${dep.deprecatedIn}. ${dep.reason}`,
+                replacements: dep.replacements,
+            });
+        }
+    }
+    return warnings;
+}
+// ─── CLI Runner ─────────────────────────────────────────────────────────────
+export function runDeprecatedCommand(argv) {
+    if (argv.includes("--help") || argv.includes("-h")) {
+        console.log(`
+judges deprecated — Rule deprecation lifecycle
+
+Usage:
+  judges deprecated                        List all deprecated rules
+  judges deprecated --check .judgesrc      Check config for deprecated references
+  judges deprecated --format json          JSON output
+
+Shows deprecated rules with migration guidance, replacement rules, and removal timeline.
+
+Options:
+  --check <path>     Check a .judgesrc for deprecated rule references
+  --format <fmt>     Output format: text, json
+  --help, -h         Show this help
+`);
+        return;
+    }
+    const format = argv.find((_a, i) => argv[i - 1] === "--format") || "text";
+    const checkPath = argv.find((_a, i) => argv[i - 1] === "--check");
+    // Check config mode
+    if (checkPath) {
+        try {
+            const { readFileSync, existsSync } = require("fs");
+            if (!existsSync(checkPath)) {
+                console.log(`\n  File not found: ${checkPath}\n`);
+                return;
+            }
+            const config = JSON.parse(readFileSync(checkPath, "utf-8"));
+            const warnings = checkConfigForDeprecated(config);
+            if (format === "json") {
+                console.log(JSON.stringify({ warnings }, null, 2));
+                return;
+            }
+            console.log(`\n  Checking ${checkPath} for deprecated rules...\n`);
+            if (warnings.length === 0) {
+                console.log("  ✅ No deprecated rule references found.\n");
+            }
+            else {
+                for (const w of warnings) {
+                    console.log(`  ⚠️  ${w.message}`);
+                    if (w.replacements.length > 0) {
+                        console.log(`      → Replace with: ${w.replacements.join(", ")}`);
+                    }
+                    console.log("");
+                }
+            }
+            return;
+        }
+        catch (err) {
+            console.error(`\n  Error checking config: ${err instanceof Error ? err.message : String(err)}\n`);
+            return;
+        }
+    }
+    // List all deprecated rules
+    const rules = getDeprecatedRules();
+    if (format === "json") {
+        console.log(JSON.stringify({ deprecatedRules: rules }, null, 2));
+        return;
+    }
+    console.log("\n  Deprecated Rules\n");
+    console.log(`  ${"RULE ID".padEnd(20)}  ${"DEPRECATED IN".padEnd(15)}  ${"REMOVED IN".padEnd(12)}  REPLACEMENT(S)`);
+    console.log(`  ${"─".repeat(20)}  ${"─".repeat(15)}  ${"─".repeat(12)}  ${"─".repeat(25)}`);
+    for (const rule of rules) {
+        console.log(`  ${rule.ruleId.padEnd(20)}  v${rule.deprecatedIn.padEnd(14)}  v${rule.removedIn.padEnd(11)}  ${rule.replacements.join(", ") || "—"}`);
+    }
+    console.log(`\n  ${rules.length} deprecated rule(s). Run with --check <config> to scan your .judgesrc.\n`);
+}
+//# sourceMappingURL=deprecated.js.map

package/dist/commands/deprecated.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"deprecated.js","sourceRoot":"","sources":["../../src/commands/deprecated.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AA0BH,+EAA+E;AAE/E,MAAM,gBAAgB,GAAqB;IACzC;QACE,MAAM,EAAE,cAAc;QACtB,YAAY,EAAE,QAAQ;QACtB,SAAS,EAAE,OAAO;QAClB,MAAM,EAAE,yDAAyD;QACjE,YAAY,EAAE,CAAC,aAAa,CAAC;QAC7B,SAAS,EACP,yIAAyI;KAC5I;IACD;QACE,MAAM,EAAE,eAAe;QACvB,YAAY,EAAE,QAAQ;QACtB,SAAS,EAAE,OAAO;QAClB,MAAM,EACJ,oHAAoH;QACtH,YAAY,EAAE,CAAC,qBAAqB,CAAC;QACrC,SAAS,EAAE,mGAAmG;KAC/G;IACD;QACE,MAAM,EAAE,gBAAgB;QACxB,YAAY,EAAE,QAAQ;QACtB,SAAS,EAAE,OAAO;QAClB,MAAM,EAAE,mGAAmG;QAC3G,YAAY,EAAE,CAAC,cAAc,EAAE,eAAe,CAAC;QAC/C,SAAS,EACP,yGAAyG;KAC5G;IACD;QACE,MAAM,EAAE,cAAc;QACtB,YAAY,EAAE,QAAQ;QACtB,SAAS,EAAE,OAAO;QAClB,MAAM,EAAE,2FAA2F;QACnG,YAAY,EAAE,CAAC,UAAU,CAAC;QAC1B,SAAS,EAAE,qFAAqF;KACjG;IACD;QACE,MAAM,EAAE,iBAAiB;QACzB,YAAY,EAAE,QAAQ;QACtB,SAAS,EAAE,OAAO;QAClB,MAAM,EAAE,4DAA4D;QACpE,YAAY,EAAE,CAAC,gBAAgB,CAAC;QAChC,SAAS,EAAE,2EAA2E;KACvF;CACF,CAAC;AAEF,+EAA+E;AAE/E,MAAM,UAAU,kBAAkB;IAChC,OAAO,CAAC,GAAG,gBAAgB,CAAC,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,MAAc;IAC7C,OAAO,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC;AAC3D,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CAAC,MAA+B;IACtE,MAAM,QAAQ,GAAyB,EAAE,CAAC;IAE1C,sBAAsB;IACtB,MAAM,QAAQ,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAAa,CAAC;IAC1D,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;QAC9B,MAAM,GAAG,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,GAAG,EAAE,CAAC;YACR,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM;gBACN,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,2CAA2C,MAAM,qBAAqB,GAAG,CAAC,YAAY,MAAM,GAAG,CAAC,SAAS,EAAE;gBACpH,YAAY,EAAE,GAAG,CAAC,YAAY;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,MAAM,SAAS,GAAG,CAAC,MAAM,CAAC,aAAa,IAAI,EAAE,CAA4B,CAAC;IAC1E,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5C,MAAM,GAAG,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,GAAG,EAAE,CAAC;YACR,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM;gBACN,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,6CAA6C,MAAM,qBAAqB,GAAG,CAAC,YAAY,MAAM,GAAG,CAAC,SAAS,EAAE;gBACtH,YAAY,EAAE,GAAG,CAAC,YAAY;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,oBAAoB;IACpB,MAAM,MAAM,GAAG,CAAC,MAAM,CAAC,WAAW,IAAI,EAAE,CAAa,CAAC;IACtD,KAAK,MAAM,MAAM,IAAI,MAAM,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,gBAAgB,CAAC,MAAM,CAAC,CAAC;QACrC,IAAI,GAAG,EAAE,CAAC;YACR,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM;gBACN,QAAQ,EAAE,QAAQ;gBAClB,OAAO,EAAE,yCAAyC,MAAM,qBAAqB,GAAG,CAAC,YAAY,MAAM,GAAG,CAAC,SAAS,EAAE;gBAClH,YAAY,EAAE,GAAG,CAAC,YAAY;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,0BAA0B,CACxC,QAA2D;IAE3D,MAAM,QAAQ,GAAyB,EAAE,CAAC;IAC1C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAE/B,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC;YAAE,SAAS;QACvC,MAAM,GAAG,GAAG,gBAAgB,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC7C,IAAI,GAAG,EAAE,CAAC;YACR,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;YACzB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,QAAQ,EAAE,SAAS;gBACnB,OAAO,EAAE,SAAS,OAAO,CAAC,MAAM,0BAA0B,GAAG,CAAC,YAAY,KAAK,GAAG,CAAC,MAAM,EAAE;gBAC3F,YAAY,EAAE,GAAG,CAAC,YAAY;aAC/B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,+EAA+E;AAE/E,MAAM,UAAU,oBAAoB,CAAC,IAAc;IACjD,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC;;;;;;;;;;;;;;CAcf,CAAC,CAAC;QACC,OAAO;IACT,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,UAAU,CAAC,IAAI,MAAM,CAAC;IAC1E,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,SAAS,CAAC,CAAC;IAElE,oBAAoB;IACpB,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;YACnD,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC3B,OAAO,CAAC,GAAG,CAAC,uBAAuB,SAAS,IAAI,CAAC,CAAC;gBAClD,OAAO;YACT,CAAC;YACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;YAC5D,MAAM,QAAQ,GAAG,wBAAwB,CAAC,MAAM,CAAC,CAAC;YAElD,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;gBACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBACnD,OAAO;YACT,CAAC;YAED,OAAO,CAAC,GAAG,CAAC,gBAAgB,SAAS,4BAA4B,CAAC,CAAC;YACnE,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,4CAA4C,CAAC,CAAC;YAC5D,CAAC;iBAAM,CAAC;gBACN,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;oBACzB,OAAO,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;oBAClC,IAAI,CAAC,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC9B,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;oBACpE,CAAC;oBACD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAClB,CAAC;YACH,CAAC;YACD,OAAO;QACT,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,CAAC,KAAK,CAAC,8BAA8B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YAClG,OAAO;QACT,CAAC;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,KAAK,GAAG,kBAAkB,EAAE,CAAC;IAEnC,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,eAAe,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QACjE,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;IACtC,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,eAAe,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC;IACpH,OAAO,CAAC,GAAG,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAE5F,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,OAAO,CAAC,GAAG,CACT,KAAK,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,CAAC,KAAK,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CACvI,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,OAAO,KAAK,CAAC,MAAM,0EAA0E,CAAC,CAAC;AAC7G,CAAC"}

package/dist/commands/diff.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/commands/diff.ts"],"names":[],"mappings":"AA2YA,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CA2BlG;AAED,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAgI5C"}
+{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/commands/diff.ts"],"names":[],"mappings":"AAgZA,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CA2BlG;AAED,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,IAAI,CAgI5C"}

package/dist/commands/diff.js

@@ -157,7 +157,7 @@ const SECURITY_DELETION_PATTERNS = [
  * Analyze removed lines for security-relevant deletions.
  * Returns findings for patterns that were deleted from the codebase.
  */
-function analyzeDeletions(removedLines, filePath) {
+function analyzeDeletions(removedLines, _filePath) {
     if (removedLines.length === 0)
         return [];
     const findings = [];
@@ -208,8 +208,13 @@ function extractExportedSignatures(lines) {
 function countParams(paramStr) {
     if (!paramStr.trim())
         return 0;
-    // Handle generic type parameters by removing angle-bracket contents
-    const cleaned = paramStr.replace(/<[^>]*>/g, "");
+    // Handle generic type parameters by removing angle-bracket contents iteratively
+    let cleaned = paramStr;
+    let prev;
+    do {
+        prev = cleaned;
+        cleaned = cleaned.replace(/<[^>]*>/g, "");
+    } while (cleaned !== prev);
     return cleaned.split(",").length;
 }
 /**