@nektarlabs/pushguard 1.0.0

package/LICENSE

@@ -0,0 +1,7 @@
+Copyright 2026 Nektar Labs SRL
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

package/README.md

@@ -0,0 +1,97 @@
+# pushguard
+
+Pre-push hook that analyzes your code changes with [Claude Code](https://docs.anthropic.com/en/docs/claude-code) before pushing. Catches security issues, bugs, logic errors, and code quality problems automatically.
+
+## Prerequisites
+
+- [Claude Code CLI](https://docs.anthropic.com/en/docs/claude-code) installed and authenticated
+- Node.js >= 22.14.0
+- Git
+
+## Install
+
+```bash
+pnpm add -D @nektarlabs/pushguard husky
+```
+
+## Setup
+
+```bash
+npx pushguard init
+```
+
+This creates a `.husky/pre-push` hook that runs pushguard before every push.
+
+## How it works
+
+1. You run `git push`
+2. Pushguard computes the diff of all unpushed commits
+3. The diff is sent to Claude Code for analysis
+4. Claude returns a structured verdict with categorized issues
+5. Push is **blocked** if any issue meets the severity threshold, otherwise allowed
+
+## Manual analysis
+
+You can run the analysis manually at any time without pushing:
+
+```bash
+npx pushguard analyze
+```
+
+This diffs your unpushed commits against the remote tracking branch (or `origin/main` as fallback) and runs the same analysis as the pre-push hook.
+
+## Configuration
+
+Add a `"pushguard"` key to your `package.json` or create a `.pushguard.json` file:
+
+```json
+{
+  "categories": ["security", "bug", "logic", "performance", "quality", "style"],
+  "blockOnSeverity": "high",
+  "model": "claude-opus-4-6",
+  "maxDiffSize": 100000,
+  "failOnError": false,
+  "exclude": ["*.lock", "*.min.js", "*.map", "dist/**"],
+  "verbose": false,
+  "skipBranches": ["develop"],
+  "customPrompt": "Also check for proper error handling"
+}
+```
+
+### Options
+
+| Option            | Default                                                         | Description                                                                  |
+| ----------------- | --------------------------------------------------------------- | ---------------------------------------------------------------------------- |
+| `categories`      | `["security", "bug", "logic"]`                                  | What to check: `security`, `bug`, `logic`, `performance`, `quality`, `style` |
+| `blockOnSeverity` | `"high"`                                                        | Minimum severity to block push: `critical`, `high`, `medium`, `low`          |
+| `model`           | `"claude-opus-4-6"`                                             | Claude model to use                                                          |
+| `maxDiffSize`     | `100000`                                                        | Max diff size in bytes before truncation                                     |
+| `failOnError`     | `false`                                                         | Block push if Claude CLI errors (fail-open by default)                       |
+| `exclude`         | `["*.lock", "*.min.js", "*.map", "dist/**", "node_modules/**"]` | File patterns to skip                                                        |
+| `verbose`         | `false`                                                         | Show full analysis summary                                                   |
+| `skipBranches`    | `[]`                                                            | Branch patterns to skip (supports trailing `*` wildcard)                     |
+| `customPrompt`    | —                                                               | Additional instructions for the review                                       |
+
+## Example output
+
+```
+pushguard: Analyzing 3 changed files before push...
+
+  CRITICAL  security  src/auth/login.ts:42
+  Hardcoded API secret exposed in source code
+  > Move to environment variable: const API_KEY = process.env.API_KEY
+
+  HIGH  bug  src/utils/parse.ts:18
+  Uncaught exception when input is null
+  > Add null check: if (input == null) return []
+
+  HIGH  logic  src/billing/calc.ts:55
+  Wrong comparison operator causes free tier users to be charged
+  > Change `>=` to `>`: if (usage > FREE_TIER_LIMIT)
+
+pushguard: Push BLOCKED (1 critical, 2 high)
+```
+
+## License
+
+MIT

package/bin/pushguard.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import "../dist/cli.js";

package/dist/analysis/claude.d.ts

@@ -0,0 +1,4 @@
+import type { GuardStagedConfig } from "../config/schema.js";
+import type { AnalysisResult } from "../types.js";
+export declare function analyzeWithClaude(systemPrompt: string, userPrompt: string, config: GuardStagedConfig): Promise<AnalysisResult>;
+//# sourceMappingURL=claude.d.ts.map

package/dist/analysis/claude.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude.d.ts","sourceRoot":"","sources":["../../src/analysis/claude.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAIlD,wBAAsB,iBAAiB,CACrC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,MAAM,EAAE,iBAAiB,GACxB,OAAO,CAAC,cAAc,CAAC,CAOzB"}

package/dist/analysis/claude.js

@@ -0,0 +1,65 @@
+import { spawn } from "node:child_process";
+const TIMEOUT_MS = 60_000;
+export async function analyzeWithClaude(systemPrompt, userPrompt, config) {
+    const prompt = `${systemPrompt}\n\n---\n\n${userPrompt}`;
+    const args = ["-p", prompt, "--output-format", "json", "--model", config.model, "--max-turns", "1"];
+    const stdout = await spawnClaude(args);
+    return parseClaudeResponse(stdout);
+}
+function spawnClaude(args) {
+    return new Promise((resolve, reject) => {
+        const child = spawn("claude", args, {
+            env: {
+                ...process.env,
+                CLAUDE_CODE_ENTRYPOINT: undefined,
+                CLAUDECODE: undefined,
+            },
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        child.stdout.on("data", (data) => {
+            stdout += data.toString();
+        });
+        child.stderr.on("data", (data) => {
+            stderr += data.toString();
+        });
+        const timer = setTimeout(() => {
+            child.kill();
+            reject(new Error("Claude CLI timed out"));
+        }, TIMEOUT_MS);
+        child.on("close", (code) => {
+            clearTimeout(timer);
+            if (code !== 0) {
+                reject(new Error(`Claude CLI exited with code ${code}: ${stderr}`));
+            }
+            else {
+                resolve(stdout);
+            }
+        });
+        child.on("error", (err) => {
+            clearTimeout(timer);
+            reject(err);
+        });
+    });
+}
+function parseClaudeResponse(raw) {
+    const response = JSON.parse(raw);
+    // Claude CLI --output-format json wraps the result
+    const text = response.result ?? response.content ?? raw;
+    // Try to extract JSON from the text
+    const jsonMatch = text.match(/\{[\s\S]*\}/);
+    if (!jsonMatch) {
+        throw new Error("No JSON object found in Claude response");
+    }
+    const parsed = JSON.parse(jsonMatch[0]);
+    // Validate required fields
+    if (!parsed.verdict || !parsed.summary || !Array.isArray(parsed.issues)) {
+        throw new Error("Invalid analysis result structure");
+    }
+    if (!["pass", "warn", "fail"].includes(parsed.verdict)) {
+        throw new Error(`Invalid verdict: ${parsed.verdict}`);
+    }
+    return parsed;
+}
+//# sourceMappingURL=claude.js.map

package/dist/analysis/claude.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"claude.js","sourceRoot":"","sources":["../../src/analysis/claude.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,EAAE,MAAM,oBAAoB,CAAC;AAI3C,MAAM,UAAU,GAAG,MAAM,CAAC;AAE1B,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,YAAoB,EACpB,UAAkB,EAClB,MAAyB;IAEzB,MAAM,MAAM,GAAG,GAAG,YAAY,cAAc,UAAU,EAAE,CAAC;IAEzD,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,iBAAiB,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC,KAAK,EAAE,aAAa,EAAE,GAAG,CAAC,CAAC;IAEpG,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;IACvC,OAAO,mBAAmB,CAAC,MAAM,CAAC,CAAC;AACrC,CAAC;AAED,SAAS,WAAW,CAAC,IAAc;IACjC,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,EAAE,IAAI,EAAE;YAClC,GAAG,EAAE;gBACH,GAAG,OAAO,CAAC,GAAG;gBACd,sBAAsB,EAAE,SAAS;gBACjC,UAAU,EAAE,SAAS;aACtB;YACD,KAAK,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,MAAM,GAAG,EAAE,CAAC;QAChB,IAAI,MAAM,GAAG,EAAE,CAAC;QAEhB,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACvC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC5B,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,IAAY,EAAE,EAAE;YACvC,MAAM,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAC5B,CAAC,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE;YAC5B,KAAK,CAAC,IAAI,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAC;QAC5C,CAAC,EAAE,UAAU,CAAC,CAAC;QAEf,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,IAAmB,EAAE,EAAE;YACxC,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,IAAI,IAAI,KAAK,CAAC,EAAE,CAAC;gBACf,MAAM,CAAC,IAAI,KAAK,CAAC,+BAA+B,IAAI,KAAK,MAAM,EAAE,CAAC,CAAC,CAAC;YACtE,CAAC;iBAAM,CAAC;gBACN,OAAO,CAAC,MAAM,CAAC,CAAC;YAClB,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,KAAK,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAU,EAAE,EAAE;YAC/B,YAAY,CAAC,KAAK,CAAC,CAAC;YACpB,MAAM,CAAC,GAAG,CAAC,CAAC;QACd,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,mBAAmB,CAAC,GAAW;IACtC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAEjC,mDAAmD;IACnD,MAAM,IAAI,GAAW,QAAQ,CAAC,MAAM,IAAI,QAAQ,CAAC,OAAO,IAAI,GAAG,CAAC;IAEhE,oCAAoC;IACpC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IAC5C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,CAAmB,CAAC;IAE1D,2BAA2B;IAC3B,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC;QACxE,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,CAAC;IACvD,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,oBAAoB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC;IACxD,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/analysis/prompt.d.ts

@@ -0,0 +1,5 @@
+import type { GuardStagedConfig } from "../config/schema.js";
+import type { DiffResult } from "../types.js";
+export declare function buildSystemPrompt(config: GuardStagedConfig): string;
+export declare function buildUserPrompt(diffResult: DiffResult): string;
+//# sourceMappingURL=prompt.d.ts.map

package/dist/analysis/prompt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt.d.ts","sourceRoot":"","sources":["../../src/analysis/prompt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAI9C,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,iBAAiB,GAAG,MAAM,CA2CnE;AAED,wBAAgB,eAAe,CAAC,UAAU,EAAE,UAAU,GAAG,MAAM,CAc9D"}

package/dist/analysis/prompt.js

@@ -0,0 +1,54 @@
+const SEVERITY_ORDER = ["critical", "high", "medium", "low", "info"];
+export function buildSystemPrompt(config) {
+    const categories = config.categories.join(", ");
+    const blockIdx = SEVERITY_ORDER.indexOf(config.blockOnSeverity);
+    const blockSeverities = SEVERITY_ORDER.slice(0, blockIdx + 1).join(", ");
+    let prompt = `You are a code review guardian analyzing a git diff before push.
+
+Focus areas: ${categories}
+Blocking severities: ${blockSeverities}
+
+Rules:
+- Set verdict to "fail" if any issue of severity ${blockSeverities} is found
+- Set verdict to "warn" if issues exist but none meet the blocking threshold
+- Set verdict to "pass" if no actionable issues are found
+- Be precise about file paths and line numbers (from the diff headers)
+- Only report real, actionable issues — no nitpicks unless "style" is in the focus areas
+- For security issues, check for: hardcoded secrets, injection vulnerabilities, auth bypasses, insecure crypto, exposed sensitive data
+- For bugs, check for: null/undefined errors, off-by-one, race conditions, unhandled exceptions
+- For logic errors, check for: incorrect conditionals, inverted boolean logic, wrong operator (e.g. && vs ||), unreachable code paths, missing edge cases, incorrect state transitions, flawed control flow, wrong variable used in comparisons, off-by-one in loops/ranges
+- For every issue, always include a "suggestion" field with a concrete fix (show the corrected code snippet when possible)
+- Be concise in messages and suggestions
+
+Respond with ONLY a JSON object (no markdown, no code fences, no explanation) matching this exact schema:
+{
+  "verdict": "pass" | "warn" | "fail",
+  "summary": "Brief summary of findings",
+  "issues": [
+    {
+      "severity": "critical" | "high" | "medium" | "low" | "info",
+      "category": "security" | "bug" | "logic" | "performance" | "quality" | "style",
+      "file": "path/to/file",
+      "line": 42,
+      "message": "Description of the issue",
+      "suggestion": "How to fix it (include corrected code when possible)"
+    }
+  ]
+}`;
+    if (config.customPrompt) {
+        prompt += `\n\nAdditional instructions:\n${config.customPrompt}`;
+    }
+    return prompt;
+}
+export function buildUserPrompt(diffResult) {
+    if (!diffResult.diff) {
+        return "No changes to analyze.";
+    }
+    let prompt = `## Changed files\n${diffResult.files.join("\n")}\n\n`;
+    if (diffResult.truncated) {
+        prompt += `**Note:** The diff was truncated due to size. Focus on the available content.\n\n`;
+    }
+    prompt += `## Diff\n\`\`\`diff\n${diffResult.diff}\n\`\`\``;
+    return prompt;
+}
+//# sourceMappingURL=prompt.js.map

package/dist/analysis/prompt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"prompt.js","sourceRoot":"","sources":["../../src/analysis/prompt.ts"],"names":[],"mappings":"AAGA,MAAM,cAAc,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAU,CAAC;AAE9E,MAAM,UAAU,iBAAiB,CAAC,MAAyB;IACzD,MAAM,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAChD,MAAM,QAAQ,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;IAChE,MAAM,eAAe,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,QAAQ,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEzE,IAAI,MAAM,GAAG;;eAEA,UAAU;uBACF,eAAe;;;mDAGa,eAAe;;;;;;;;;;;;;;;;;;;;;;;;;EAyBhE,CAAC;IAED,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;QACxB,MAAM,IAAI,iCAAiC,MAAM,CAAC,YAAY,EAAE,CAAC;IACnE,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,UAAsB;IACpD,IAAI,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;QACrB,OAAO,wBAAwB,CAAC;IAClC,CAAC;IAED,IAAI,MAAM,GAAG,qBAAqB,UAAU,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;IAEpE,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;QACzB,MAAM,IAAI,mFAAmF,CAAC;IAChG,CAAC;IAED,MAAM,IAAI,wBAAwB,UAAU,CAAC,IAAI,UAAU,CAAC;IAE5D,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":""}

package/dist/cli.js

@@ -0,0 +1,33 @@
+#!/usr/bin/env node
+import { parseArgs } from "node:util";
+async function main() {
+    const { positionals } = parseArgs({
+        allowPositionals: true,
+        strict: false,
+    });
+    const command = positionals[0];
+    switch (command) {
+        case "init": {
+            const { init } = await import("./setup/install.js");
+            await init();
+            break;
+        }
+        case "analyze": {
+            const { runAnalyze } = await import("./hooks/analyze.js");
+            const exitCode = await runAnalyze();
+            process.exit(exitCode);
+            break;
+        }
+        default: {
+            // Default: run as pre-push hook
+            const { runPrePush } = await import("./hooks/pre-push.js");
+            const exitCode = await runPrePush();
+            process.exit(exitCode);
+        }
+    }
+}
+main().catch((error) => {
+    console.error("guard-staged: Fatal error:", error);
+    process.exit(1);
+});
+//# sourceMappingURL=cli.js.map

package/dist/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,KAAK,UAAU,IAAI;IACjB,MAAM,EAAE,WAAW,EAAE,GAAG,SAAS,CAAC;QAChC,gBAAgB,EAAE,IAAI;QACtB,MAAM,EAAE,KAAK;KACd,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAE/B,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,CAAC;YACZ,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;YACpD,MAAM,IAAI,EAAE,CAAC;YACb,MAAM;QACR,CAAC;QACD,KAAK,SAAS,CAAC,CAAC,CAAC;YACf,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;YAC1D,MAAM,QAAQ,GAAG,MAAM,UAAU,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACvB,MAAM;QACR,CAAC;QACD,OAAO,CAAC,CAAC,CAAC;YACR,gCAAgC;YAChC,MAAM,EAAE,UAAU,EAAE,GAAG,MAAM,MAAM,CAAC,qBAAqB,CAAC,CAAC;YAC3D,MAAM,QAAQ,GAAG,MAAM,UAAU,EAAE,CAAC;YACpC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;AACH,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,4BAA4B,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/dist/config/defaults.d.ts

@@ -0,0 +1,3 @@
+import type { GuardStagedConfig } from "./schema.js";
+export declare const DEFAULTS: GuardStagedConfig;
+//# sourceMappingURL=defaults.d.ts.map

package/dist/config/defaults.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.d.ts","sourceRoot":"","sources":["../../src/config/defaults.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAErD,eAAO,MAAM,QAAQ,EAAE,iBAStB,CAAC"}

package/dist/config/defaults.js

@@ -0,0 +1,11 @@
+export const DEFAULTS = {
+    categories: ["security", "bug", "logic"],
+    blockOnSeverity: "high",
+    model: "claude-opus-4-6",
+    maxDiffSize: 100_000,
+    failOnError: false,
+    exclude: ["*.lock", "*.min.js", "*.map", "dist/**", "node_modules/**"],
+    verbose: false,
+    skipBranches: [],
+};
+//# sourceMappingURL=defaults.js.map

package/dist/config/defaults.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../../src/config/defaults.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,QAAQ,GAAsB;IACzC,UAAU,EAAE,CAAC,UAAU,EAAE,KAAK,EAAE,OAAO,CAAC;IACxC,eAAe,EAAE,MAAM;IACvB,KAAK,EAAE,iBAAiB;IACxB,WAAW,EAAE,OAAO;IACpB,WAAW,EAAE,KAAK;IAClB,OAAO,EAAE,CAAC,QAAQ,EAAE,UAAU,EAAE,OAAO,EAAE,SAAS,EAAE,iBAAiB,CAAC;IACtE,OAAO,EAAE,KAAK;IACd,YAAY,EAAE,EAAE;CACjB,CAAC"}

package/dist/config/loader.d.ts

@@ -0,0 +1,3 @@
+import type { GuardStagedConfig } from "./schema.js";
+export declare function loadConfig(cwd?: string): Promise<GuardStagedConfig>;
+//# sourceMappingURL=loader.d.ts.map

package/dist/config/loader.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAGrD,wBAAsB,UAAU,CAAC,GAAG,GAAE,MAAsB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAGxF"}

package/dist/config/loader.js

@@ -0,0 +1,30 @@
+import { readFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { DEFAULTS } from "./defaults.js";
+export async function loadConfig(cwd = process.cwd()) {
+    const overrides = (await loadFromRc(cwd)) ?? (await loadFromPackageJson(cwd));
+    return { ...DEFAULTS, ...overrides };
+}
+async function loadFromRc(cwd) {
+    try {
+        const content = await readFile(resolve(cwd, ".pushguard.json"), "utf-8");
+        return JSON.parse(content);
+    }
+    catch {
+        return null;
+    }
+}
+async function loadFromPackageJson(cwd) {
+    try {
+        const content = await readFile(resolve(cwd, "package.json"), "utf-8");
+        const pkg = JSON.parse(content);
+        if (pkg["pushguard"] && typeof pkg["pushguard"] === "object") {
+            return pkg["pushguard"];
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+//# sourceMappingURL=loader.js.map

package/dist/config/loader.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC1D,MAAM,SAAS,GAAG,CAAC,MAAM,UAAU,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC;IAC9E,OAAO,EAAE,GAAG,QAAQ,EAAE,GAAG,SAAS,EAAE,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,UAAU,CAAC,GAAW;IACnC,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,iBAAiB,CAAC,EAAE,OAAO,CAAC,CAAC;QACzE,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAA+B,CAAC;IAC3D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,GAAW;IAC5C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC;QACtE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QAC3D,IAAI,GAAG,CAAC,WAAW,CAAC,IAAI,OAAO,GAAG,CAAC,WAAW,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC7D,OAAO,GAAG,CAAC,WAAW,CAA+B,CAAC;QACxD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC"}

package/dist/config/schema.d.ts

@@ -0,0 +1,21 @@
+export interface GuardStagedConfig {
+    /** Categories to check */
+    categories: ("security" | "bug" | "logic" | "performance" | "quality" | "style")[];
+    /** Minimum severity to block push */
+    blockOnSeverity: "critical" | "high" | "medium" | "low";
+    /** Claude model to use */
+    model: string;
+    /** Max diff size in bytes before truncation */
+    maxDiffSize: number;
+    /** Whether to block push if Claude CLI fails */
+    failOnError: boolean;
+    /** File patterns to exclude from analysis */
+    exclude: string[];
+    /** Custom additional prompt instructions */
+    customPrompt?: string;
+    /** Whether to show the full analysis or just the verdict */
+    verbose: boolean;
+    /** Skip analysis for these branch patterns */
+    skipBranches: string[];
+}
+//# sourceMappingURL=schema.d.ts.map

package/dist/config/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,iBAAiB;IAChC,0BAA0B;IAC1B,UAAU,EAAE,CAAC,UAAU,GAAG,KAAK,GAAG,OAAO,GAAG,aAAa,GAAG,SAAS,GAAG,OAAO,CAAC,EAAE,CAAC;IACnF,qCAAqC;IACrC,eAAe,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACxD,0BAA0B;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,WAAW,EAAE,MAAM,CAAC;IACpB,gDAAgD;IAChD,WAAW,EAAE,OAAO,CAAC;IACrB,6CAA6C;IAC7C,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,4CAA4C;IAC5C,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,4DAA4D;IAC5D,OAAO,EAAE,OAAO,CAAC;IACjB,8CAA8C;IAC9C,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB"}

package/dist/config/schema.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=schema.js.map

package/dist/config/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":""}

package/dist/git/diff.d.ts

@@ -0,0 +1,5 @@
+import type { PushRef, DiffResult } from "../types.js";
+import type { GuardStagedConfig } from "../config/schema.js";
+export declare function getDefaultBranch(): Promise<string>;
+export declare function getDiff(pushRef: PushRef, config: GuardStagedConfig): Promise<DiffResult>;
+//# sourceMappingURL=diff.d.ts.map

package/dist/git/diff.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff.d.ts","sourceRoot":"","sources":["../../src/git/diff.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACvD,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAI7D,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,MAAM,CAAC,CAOxD;AAED,wBAAsB,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,iBAAiB,GAAG,OAAO,CAAC,UAAU,CAAC,CAmE9F"}

package/dist/git/diff.js

@@ -0,0 +1,86 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+const exec = promisify(execFile);
+export async function getDefaultBranch() {
+    try {
+        const { stdout } = await exec("git", ["symbolic-ref", "refs/remotes/origin/HEAD", "--short"]);
+        return stdout.trim().replace("origin/", "");
+    }
+    catch {
+        return "main";
+    }
+}
+export async function getDiff(pushRef, config) {
+    if (pushRef.isDelete) {
+        return { diff: "", files: [], truncated: false };
+    }
+    let baseRef;
+    if (pushRef.isNew) {
+        const defaultBranch = await getDefaultBranch();
+        try {
+            const { stdout } = await exec("git", ["merge-base", `origin/${defaultBranch}`, pushRef.localSha]);
+            baseRef = stdout.trim();
+        }
+        catch {
+            // If merge-base fails, diff against the default branch tip
+            baseRef = `origin/${defaultBranch}`;
+        }
+    }
+    else {
+        baseRef = pushRef.remoteSha;
+    }
+    // Get the list of changed files
+    const { stdout: fileList } = await exec("git", [
+        "diff",
+        "--name-only",
+        "--diff-filter=ACMR",
+        `${baseRef}..${pushRef.localSha}`,
+    ]);
+    const files = fileList
+        .trim()
+        .split("\n")
+        .filter(Boolean)
+        .filter((f) => !matchesExcludePattern(f, config.exclude));
+    if (files.length === 0) {
+        return { diff: "", files: [], truncated: false };
+    }
+    // Get the full diff
+    const { stdout: diff } = await exec("git", [
+        "diff",
+        "--diff-filter=ACMR",
+        `${baseRef}..${pushRef.localSha}`,
+        "--",
+        ...files,
+    ]);
+    // Check size and truncate if needed
+    if (Buffer.byteLength(diff) > config.maxDiffSize) {
+        const { stdout: stat } = await exec("git", [
+            "diff",
+            "--stat",
+            "--diff-filter=ACMR",
+            `${baseRef}..${pushRef.localSha}`,
+            "--",
+            ...files,
+        ]);
+        const truncatedDiff = diff.slice(0, config.maxDiffSize);
+        return {
+            diff: `[TRUNCATED — diff exceeded ${config.maxDiffSize} bytes]\n\n## Diff stat\n${stat}\n\n## Partial diff\n${truncatedDiff}`,
+            files,
+            truncated: true,
+        };
+    }
+    return { diff, files, truncated: false };
+}
+function matchesExcludePattern(file, patterns) {
+    return patterns.some((pattern) => {
+        // Simple glob matching: *.ext and dir/**
+        if (pattern.startsWith("*.")) {
+            return file.endsWith(pattern.slice(1));
+        }
+        if (pattern.endsWith("/**")) {
+            return file.startsWith(pattern.slice(0, -3));
+        }
+        return file === pattern;
+    });
+}
+//# sourceMappingURL=diff.js.map

package/dist/git/diff.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diff.js","sourceRoot":"","sources":["../../src/git/diff.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAItC,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAEjC,MAAM,CAAC,KAAK,UAAU,gBAAgB;IACpC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,cAAc,EAAE,0BAA0B,EAAE,SAAS,CAAC,CAAC,CAAC;QAC9F,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,MAAM,CAAC;IAChB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,OAAgB,EAAE,MAAyB;IACvE,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACnD,CAAC;IAED,IAAI,OAAe,CAAC;IAEpB,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,MAAM,aAAa,GAAG,MAAM,gBAAgB,EAAE,CAAC;QAC/C,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,YAAY,EAAE,UAAU,aAAa,EAAE,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC,CAAC;YAClG,OAAO,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,2DAA2D;YAC3D,OAAO,GAAG,UAAU,aAAa,EAAE,CAAC;QACtC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,OAAO,CAAC,SAAS,CAAC;IAC9B,CAAC;IAED,gCAAgC;IAChC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE;QAC7C,MAAM;QACN,aAAa;QACb,oBAAoB;QACpB,GAAG,OAAO,KAAK,OAAO,CAAC,QAAQ,EAAE;KAClC,CAAC,CAAC;IAEH,MAAM,KAAK,GAAG,QAAQ;SACnB,IAAI,EAAE;SACN,KAAK,CAAC,IAAI,CAAC;SACX,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,qBAAqB,CAAC,CAAC,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC;IAE5D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,IAAI,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;IACnD,CAAC;IAED,oBAAoB;IACpB,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE;QACzC,MAAM;QACN,oBAAoB;QACpB,GAAG,OAAO,KAAK,OAAO,CAAC,QAAQ,EAAE;QACjC,IAAI;QACJ,GAAG,KAAK;KACT,CAAC,CAAC;IAEH,oCAAoC;IACpC,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,WAAW,EAAE,CAAC;QACjD,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE;YACzC,MAAM;YACN,QAAQ;YACR,oBAAoB;YACpB,GAAG,OAAO,KAAK,OAAO,CAAC,QAAQ,EAAE;YACjC,IAAI;YACJ,GAAG,KAAK;SACT,CAAC,CAAC;QAEH,MAAM,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;QACxD,OAAO;YACL,IAAI,EAAE,8BAA8B,MAAM,CAAC,WAAW,4BAA4B,IAAI,wBAAwB,aAAa,EAAE;YAC7H,KAAK;YACL,SAAS,EAAE,IAAI;SAChB,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AAC3C,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,QAAkB;IAC7D,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE;QAC/B,yCAAyC;QACzC,IAAI,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;YAC7B,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACzC,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;QAC/C,CAAC;QACD,OAAO,IAAI,KAAK,OAAO,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/git/parse-stdin.d.ts

@@ -0,0 +1,3 @@
+import type { PushRef } from "../types.js";
+export declare function parsePushRefs(input?: NodeJS.ReadableStream): Promise<PushRef[]>;
+//# sourceMappingURL=parse-stdin.d.ts.map

package/dist/git/parse-stdin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"parse-stdin.d.ts","sourceRoot":"","sources":["../../src/git/parse-stdin.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAI3C,wBAAsB,aAAa,CAAC,KAAK,GAAE,MAAM,CAAC,cAA8B,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAyBpG"}

package/dist/git/parse-stdin.js

@@ -0,0 +1,25 @@
+import { createInterface } from "node:readline";
+const ZERO_SHA = "0000000000000000000000000000000000000000";
+export async function parsePushRefs(input = process.stdin) {
+    const refs = [];
+    const rl = createInterface({ input, crlfDelay: Infinity });
+    for await (const line of rl) {
+        const trimmed = line.trim();
+        if (!trimmed)
+            continue;
+        const parts = trimmed.split(/\s+/);
+        if (parts.length < 4)
+            continue;
+        const [localRef, localSha, remoteRef, remoteSha] = parts;
+        refs.push({
+            localRef: localRef,
+            localSha: localSha,
+            remoteRef: remoteRef,
+            remoteSha: remoteSha,
+            isNew: remoteSha === ZERO_SHA,
+            isDelete: localRef === "(delete)" || localSha === ZERO_SHA,
+        });
+    }
+    return refs;
+}
+//# sourceMappingURL=parse-stdin.js.map

package/dist/git/parse-stdin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"parse-stdin.js","sourceRoot":"","sources":["../../src/git/parse-stdin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAGhD,MAAM,QAAQ,GAAG,0CAA0C,CAAC;AAE5D,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,QAA+B,OAAO,CAAC,KAAK;IAC9E,MAAM,IAAI,GAAc,EAAE,CAAC;IAE3B,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,KAAK,EAAE,SAAS,EAAE,QAAQ,EAAE,CAAC,CAAC;IAE3D,IAAI,KAAK,EAAE,MAAM,IAAI,IAAI,EAAE,EAAE,CAAC;QAC5B,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACnC,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,SAAS;QAE/B,MAAM,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC,GAAG,KAAK,CAAC;QAEzD,IAAI,CAAC,IAAI,CAAC;YACR,QAAQ,EAAE,QAAS;YACnB,QAAQ,EAAE,QAAS;YACnB,SAAS,EAAE,SAAU;YACrB,SAAS,EAAE,SAAU;YACrB,KAAK,EAAE,SAAS,KAAK,QAAQ;YAC7B,QAAQ,EAAE,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,QAAQ;SAC3D,CAAC,CAAC;IACL,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/hooks/analyze.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Standalone analyze command — diffs unpushed commits against the remote
+ * tracking branch without needing git hook stdin.
+ */
+export declare function runAnalyze(): Promise<number>;
+//# sourceMappingURL=analyze.d.ts.map

package/dist/hooks/analyze.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze.d.ts","sourceRoot":"","sources":["../../src/hooks/analyze.ts"],"names":[],"mappings":"AAWA;;;GAGG;AACH,wBAAsB,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,CAkBlD"}

package/dist/hooks/analyze.js

@@ -0,0 +1,85 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { getDiff } from "../git/diff.js";
+import { buildSystemPrompt, buildUserPrompt } from "../analysis/prompt.js";
+import { analyzeWithClaude } from "../analysis/claude.js";
+import { loadConfig } from "../config/loader.js";
+import { log, reportStart, reportResult } from "../output/reporter.js";
+const exec = promisify(execFile);
+/**
+ * Standalone analyze command — diffs unpushed commits against the remote
+ * tracking branch without needing git hook stdin.
+ */
+export async function runAnalyze() {
+    const config = await loadConfig();
+    const localSha = await resolveHead();
+    const remoteSha = await resolveUpstream();
+    if (!remoteSha) {
+        log("No upstream tracking branch found. Use: git push -u origin <branch>");
+        log("Falling back to diff against origin/main...");
+        const fallback = await resolveFallback();
+        if (!fallback) {
+            log("Could not determine a base to diff against.");
+            return 1;
+        }
+        return runDiffAndAnalyze({ remoteSha: fallback, localSha }, config);
+    }
+    return runDiffAndAnalyze({ remoteSha, localSha }, config);
+}
+async function runDiffAndAnalyze(refs, config) {
+    const pushRef = {
+        localRef: "HEAD",
+        localSha: refs.localSha,
+        remoteRef: "",
+        remoteSha: refs.remoteSha,
+        isNew: false,
+        isDelete: false,
+    };
+    try {
+        const diffResult = await getDiff(pushRef, config);
+        if (diffResult.files.length === 0) {
+            log("No unpushed changes to analyze.");
+            return 0;
+        }
+        reportStart(diffResult.files.length);
+        const systemPrompt = buildSystemPrompt(config);
+        const userPrompt = buildUserPrompt(diffResult);
+        const result = await analyzeWithClaude(systemPrompt, userPrompt, config);
+        reportResult(result, config.verbose);
+        return result.verdict === "fail" ? 1 : 0;
+    }
+    catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        log(`Analysis error: ${msg}`);
+        return config.failOnError ? 1 : 0;
+    }
+}
+async function resolveHead() {
+    const { stdout } = await exec("git", ["rev-parse", "HEAD"]);
+    return stdout.trim();
+}
+async function resolveUpstream() {
+    try {
+        const { stdout } = await exec("git", ["rev-parse", "@{upstream}"]);
+        return stdout.trim();
+    }
+    catch {
+        return null;
+    }
+}
+async function resolveFallback() {
+    try {
+        const { stdout } = await exec("git", ["rev-parse", "origin/main"]);
+        return stdout.trim();
+    }
+    catch {
+        try {
+            const { stdout } = await exec("git", ["rev-parse", "origin/master"]);
+            return stdout.trim();
+        }
+        catch {
+            return null;
+        }
+    }
+}
+//# sourceMappingURL=analyze.js.map

package/dist/hooks/analyze.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyze.js","sourceRoot":"","sources":["../../src/hooks/analyze.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAGvE,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAEjC;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAElC,MAAM,QAAQ,GAAG,MAAM,WAAW,EAAE,CAAC;IACrC,MAAM,SAAS,GAAG,MAAM,eAAe,EAAE,CAAC;IAE1C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,GAAG,CAAC,qEAAqE,CAAC,CAAC;QAC3E,GAAG,CAAC,6CAA6C,CAAC,CAAC;QACnD,MAAM,QAAQ,GAAG,MAAM,eAAe,EAAE,CAAC;QACzC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,GAAG,CAAC,6CAA6C,CAAC,CAAC;YACnD,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,iBAAiB,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;IACtE,CAAC;IAED,OAAO,iBAAiB,CAAC,EAAE,SAAS,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;AAC5D,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,IAA6C,EAC7C,MAA8C;IAE9C,MAAM,OAAO,GAAY;QACvB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,SAAS,EAAE,EAAE;QACb,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,KAAK;KAChB,CAAC;IAEF,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAElD,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAClC,GAAG,CAAC,iCAAiC,CAAC,CAAC;YACvC,OAAO,CAAC,CAAC;QACX,CAAC;QAED,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAErC,MAAM,YAAY,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;QAC/C,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;QAC/C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,YAAY,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;QAEzE,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;QACrC,OAAO,MAAM,CAAC,OAAO,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,GAAG,CAAC,mBAAmB,GAAG,EAAE,CAAC,CAAC;QAC9B,OAAO,MAAM,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACpC,CAAC;AACH,CAAC;AAED,KAAK,UAAU,WAAW;IACxB,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;IAC5D,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,eAAe;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe;IAC5B,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;IACvB,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC,CAAC;YACrE,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;QACvB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/hooks/pre-push.d.ts

@@ -0,0 +1,2 @@
+export declare function runPrePush(): Promise<number>;
+//# sourceMappingURL=pre-push.d.ts.map

package/dist/hooks/pre-push.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pre-push.d.ts","sourceRoot":"","sources":["../../src/hooks/pre-push.ts"],"names":[],"mappings":"AAOA,wBAAsB,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,CA+DlD"}

package/dist/hooks/pre-push.js

@@ -0,0 +1,75 @@
+import { parsePushRefs } from "../git/parse-stdin.js";
+import { getDiff } from "../git/diff.js";
+import { buildSystemPrompt, buildUserPrompt } from "../analysis/prompt.js";
+import { analyzeWithClaude } from "../analysis/claude.js";
+import { loadConfig } from "../config/loader.js";
+import { log, reportStart, reportResult } from "../output/reporter.js";
+export async function runPrePush() {
+    const config = await loadConfig();
+    // Check if current branch should be skipped
+    if (config.skipBranches.length > 0) {
+        const branch = await getCurrentBranch();
+        if (branch && config.skipBranches.some((p) => matchBranch(branch, p))) {
+            log(`Skipping analysis for branch "${branch}"`);
+            return 0;
+        }
+    }
+    // Parse push refs from stdin
+    const refs = await parsePushRefs();
+    if (refs.length === 0) {
+        return 0;
+    }
+    let hasFailure = false;
+    for (const ref of refs) {
+        if (ref.isDelete) {
+            continue;
+        }
+        try {
+            const diffResult = await getDiff(ref, config);
+            if (diffResult.files.length === 0) {
+                log("No relevant changes to analyze.");
+                continue;
+            }
+            reportStart(diffResult.files.length);
+            if (diffResult.truncated) {
+                log("Diff was truncated due to size — analysis may be partial.");
+            }
+            const systemPrompt = buildSystemPrompt(config);
+            const userPrompt = buildUserPrompt(diffResult);
+            const result = await analyzeWithClaude(systemPrompt, userPrompt, config);
+            reportResult(result, config.verbose);
+            if (result.verdict === "fail") {
+                hasFailure = true;
+            }
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            log(`Analysis error: ${msg}`);
+            if (config.failOnError) {
+                log("Push blocked due to analysis error (failOnError is enabled).");
+                return 1;
+            }
+            log("Allowing push despite analysis error (fail-open mode).");
+        }
+    }
+    return hasFailure ? 1 : 0;
+}
+async function getCurrentBranch() {
+    const { execFile } = await import("node:child_process");
+    const { promisify } = await import("node:util");
+    const exec = promisify(execFile);
+    try {
+        const { stdout } = await exec("git", ["branch", "--show-current"]);
+        return stdout.trim() || null;
+    }
+    catch {
+        return null;
+    }
+}
+function matchBranch(branch, pattern) {
+    if (pattern.endsWith("*")) {
+        return branch.startsWith(pattern.slice(0, -1));
+    }
+    return branch === pattern;
+}
+//# sourceMappingURL=pre-push.js.map

package/dist/hooks/pre-push.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pre-push.js","sourceRoot":"","sources":["../../src/hooks/pre-push.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC3E,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,GAAG,EAAE,WAAW,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAEvE,MAAM,CAAC,KAAK,UAAU,UAAU;IAC9B,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAElC,4CAA4C;IAC5C,IAAI,MAAM,CAAC,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,gBAAgB,EAAE,CAAC;QACxC,IAAI,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACtE,GAAG,CAAC,iCAAiC,MAAM,GAAG,CAAC,CAAC;YAChD,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,MAAM,IAAI,GAAG,MAAM,aAAa,EAAE,CAAC;IAEnC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,UAAU,GAAG,KAAK,CAAC;IAEvB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;YACjB,SAAS;QACX,CAAC;QAED,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;YAE9C,IAAI,UAAU,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAClC,GAAG,CAAC,iCAAiC,CAAC,CAAC;gBACvC,SAAS;YACX,CAAC;YAED,WAAW,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAErC,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;gBACzB,GAAG,CAAC,2DAA2D,CAAC,CAAC;YACnE,CAAC;YAED,MAAM,YAAY,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC/C,MAAM,UAAU,GAAG,eAAe,CAAC,UAAU,CAAC,CAAC;YAE/C,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,YAAY,EAAE,UAAU,EAAE,MAAM,CAAC,CAAC;YACzE,YAAY,CAAC,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;YAErC,IAAI,MAAM,CAAC,OAAO,KAAK,MAAM,EAAE,CAAC;gBAC9B,UAAU,GAAG,IAAI,CAAC;YACpB,CAAC;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,GAAG,CAAC,mBAAmB,GAAG,EAAE,CAAC,CAAC;YAE9B,IAAI,MAAM,CAAC,WAAW,EAAE,CAAC;gBACvB,GAAG,CAAC,8DAA8D,CAAC,CAAC;gBACpE,OAAO,CAAC,CAAC;YACX,CAAC;YAED,GAAG,CAAC,wDAAwD,CAAC,CAAC;QAChE,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5B,CAAC;AAED,KAAK,UAAU,gBAAgB;IAC7B,MAAM,EAAE,QAAQ,EAAE,GAAG,MAAM,MAAM,CAAC,oBAAoB,CAAC,CAAC;IACxD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,WAAW,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IAEjC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,QAAQ,EAAE,gBAAgB,CAAC,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;IAC/B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,WAAW,CAAC,MAAc,EAAE,OAAe;IAClD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IACD,OAAO,MAAM,KAAK,OAAO,CAAC;AAC5B,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+export { runPrePush } from "./hooks/pre-push.js";
+export { loadConfig } from "./config/loader.js";
+export { analyzeWithClaude } from "./analysis/claude.js";
+export { buildSystemPrompt, buildUserPrompt } from "./analysis/prompt.js";
+export { getDiff } from "./git/diff.js";
+export { parsePushRefs } from "./git/parse-stdin.js";
+export type { GuardStagedConfig } from "./config/schema.js";
+export type { PushRef, AnalysisResult, AnalysisIssue, DiffResult } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,YAAY,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAC;AAC5D,YAAY,EAAE,OAAO,EAAE,cAAc,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,7 @@
+export { runPrePush } from "./hooks/pre-push.js";
+export { loadConfig } from "./config/loader.js";
+export { analyzeWithClaude } from "./analysis/claude.js";
+export { buildSystemPrompt, buildUserPrompt } from "./analysis/prompt.js";
+export { getDiff } from "./git/diff.js";
+export { parsePushRefs } from "./git/parse-stdin.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAC1E,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/output/reporter.d.ts

@@ -0,0 +1,5 @@
+import type { AnalysisResult } from "../types.js";
+export declare function log(message: string): void;
+export declare function reportStart(fileCount: number): void;
+export declare function reportResult(result: AnalysisResult, verbose: boolean): void;
+//# sourceMappingURL=reporter.d.ts.map

package/dist/output/reporter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.d.ts","sourceRoot":"","sources":["../../src/output/reporter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAiB,MAAM,aAAa,CAAC;AAwBjE,wBAAgB,GAAG,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI,CAEzC;AAED,wBAAgB,WAAW,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAEnD;AAED,wBAAgB,YAAY,CAAC,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,OAAO,GAAG,IAAI,CAiB3E"}

package/dist/output/reporter.js

@@ -0,0 +1,77 @@
+const COLORS = {
+    reset: "\x1b[0m",
+    bold: "\x1b[1m",
+    dim: "\x1b[2m",
+    red: "\x1b[31m",
+    yellow: "\x1b[33m",
+    green: "\x1b[32m",
+    cyan: "\x1b[36m",
+    magenta: "\x1b[35m",
+    white: "\x1b[37m",
+};
+const SEVERITY_COLORS = {
+    critical: COLORS.red + COLORS.bold,
+    high: COLORS.red,
+    medium: COLORS.yellow,
+    low: COLORS.cyan,
+    info: COLORS.dim,
+};
+const PREFIX = `${COLORS.magenta}pushguard${COLORS.reset}`;
+export function log(message) {
+    console.error(`${PREFIX}: ${message}`);
+}
+export function reportStart(fileCount) {
+    log(`Analyzing ${fileCount} changed file${fileCount === 1 ? "" : "s"} before push...`);
+}
+export function reportResult(result, verbose) {
+    console.error("");
+    if (result.issues.length > 0) {
+        for (const issue of result.issues) {
+            reportIssue(issue);
+        }
+        console.error("");
+    }
+    if (verbose) {
+        log(result.summary);
+    }
+    const verdictLine = formatVerdict(result);
+    log(verdictLine);
+    console.error("");
+}
+function reportIssue(issue) {
+    const color = SEVERITY_COLORS[issue.severity] ?? COLORS.dim;
+    const severity = `${color}${issue.severity.toUpperCase()}${COLORS.reset}`;
+    const category = `${COLORS.dim}${issue.category}${COLORS.reset}`;
+    let location = "";
+    if (issue.file) {
+        location = `  ${COLORS.dim}${issue.file}${issue.line ? `:${issue.line}` : ""}${COLORS.reset}`;
+    }
+    console.error(`  ${severity}  ${category}${location}`);
+    console.error(`  ${issue.message}`);
+    if (issue.suggestion) {
+        console.error(`  ${COLORS.dim}> ${issue.suggestion}${COLORS.reset}`);
+    }
+    console.error("");
+}
+function formatVerdict(result) {
+    const issueCounts = countBySeverity(result.issues);
+    const countStr = Object.entries(issueCounts)
+        .map(([sev, count]) => `${count} ${sev}`)
+        .join(", ");
+    switch (result.verdict) {
+        case "fail":
+            return `${COLORS.red}${COLORS.bold}Push BLOCKED${COLORS.reset} (${countStr})`;
+        case "warn":
+            return `${COLORS.yellow}Push allowed with warnings${COLORS.reset} (${countStr})`;
+        case "pass":
+            return `${COLORS.green}Push OK${COLORS.reset} — no issues found`;
+    }
+}
+function countBySeverity(issues) {
+    const counts = {};
+    for (const issue of issues) {
+        counts[issue.severity] = (counts[issue.severity] ?? 0) + 1;
+    }
+    return counts;
+}
+//# sourceMappingURL=reporter.js.map

package/dist/output/reporter.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reporter.js","sourceRoot":"","sources":["../../src/output/reporter.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,GAAG;IACb,KAAK,EAAE,SAAS;IAChB,IAAI,EAAE,SAAS;IACf,GAAG,EAAE,SAAS;IACd,GAAG,EAAE,UAAU;IACf,MAAM,EAAE,UAAU;IAClB,KAAK,EAAE,UAAU;IACjB,IAAI,EAAE,UAAU;IAChB,OAAO,EAAE,UAAU;IACnB,KAAK,EAAE,UAAU;CAClB,CAAC;AAEF,MAAM,eAAe,GAA2B;IAC9C,QAAQ,EAAE,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,IAAI;IAClC,IAAI,EAAE,MAAM,CAAC,GAAG;IAChB,MAAM,EAAE,MAAM,CAAC,MAAM;IACrB,GAAG,EAAE,MAAM,CAAC,IAAI;IAChB,IAAI,EAAE,MAAM,CAAC,GAAG;CACjB,CAAC;AAEF,MAAM,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,YAAY,MAAM,CAAC,KAAK,EAAE,CAAC;AAE3D,MAAM,UAAU,GAAG,CAAC,OAAe;IACjC,OAAO,CAAC,KAAK,CAAC,GAAG,MAAM,KAAK,OAAO,EAAE,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,SAAiB;IAC3C,GAAG,CAAC,aAAa,SAAS,gBAAgB,SAAS,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,iBAAiB,CAAC,CAAC;AACzF,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,MAAsB,EAAE,OAAgB;IACnE,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAElB,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7B,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;YAClC,WAAW,CAAC,KAAK,CAAC,CAAC;QACrB,CAAC;QACD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACpB,CAAC;IAED,IAAI,OAAO,EAAE,CAAC;QACZ,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACtB,CAAC;IAED,MAAM,WAAW,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,GAAG,CAAC,WAAW,CAAC,CAAC;IACjB,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,WAAW,CAAC,KAAoB;IACvC,MAAM,KAAK,GAAG,eAAe,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,GAAG,CAAC;IAC5D,MAAM,QAAQ,GAAG,GAAG,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;IAC1E,MAAM,QAAQ,GAAG,GAAG,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC,QAAQ,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;IAEjE,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QACf,QAAQ,GAAG,KAAK,MAAM,CAAC,GAAG,GAAG,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC;IAChG,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ,KAAK,QAAQ,GAAG,QAAQ,EAAE,CAAC,CAAC;IACvD,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;IAEpC,IAAI,KAAK,CAAC,UAAU,EAAE,CAAC;QACrB,OAAO,CAAC,KAAK,CAAC,KAAK,MAAM,CAAC,GAAG,KAAK,KAAK,CAAC,UAAU,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;AACpB,CAAC;AAED,SAAS,aAAa,CAAC,MAAsB;IAC3C,MAAM,WAAW,GAAG,eAAe,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;SACzC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK,IAAI,GAAG,EAAE,CAAC;SACxC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEd,QAAQ,MAAM,CAAC,OAAO,EAAE,CAAC;QACvB,KAAK,MAAM;YACT,OAAO,GAAG,MAAM,CAAC,GAAG,GAAG,MAAM,CAAC,IAAI,eAAe,MAAM,CAAC,KAAK,KAAK,QAAQ,GAAG,CAAC;QAChF,KAAK,MAAM;YACT,OAAO,GAAG,MAAM,CAAC,MAAM,6BAA6B,MAAM,CAAC,KAAK,KAAK,QAAQ,GAAG,CAAC;QACnF,KAAK,MAAM;YACT,OAAO,GAAG,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,KAAK,oBAAoB,CAAC;IACrE,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,MAAuB;IAC9C,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/setup/install.d.ts

@@ -0,0 +1,2 @@
+export declare function init(cwd?: string): Promise<void>;
+//# sourceMappingURL=install.d.ts.map

package/dist/setup/install.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.d.ts","sourceRoot":"","sources":["../../src/setup/install.ts"],"names":[],"mappings":"AAWA,wBAAsB,IAAI,CAAC,GAAG,GAAE,MAAsB,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BrE"}

package/dist/setup/install.js

@@ -0,0 +1,33 @@
+import { existsSync } from "node:fs";
+import { writeFile } from "node:fs/promises";
+import { resolve } from "node:path";
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import { log } from "../output/reporter.js";
+const exec = promisify(execFile);
+const HOOK_CONTENT = `npx pushguard\n`;
+export async function init(cwd = process.cwd()) {
+    const huskyDir = resolve(cwd, ".husky");
+    // Check if husky is set up
+    if (!existsSync(huskyDir)) {
+        log("Husky not found. Initializing...");
+        try {
+            await exec("npx", ["husky", "init"], { cwd });
+        }
+        catch (error) {
+            const msg = error instanceof Error ? error.message : String(error);
+            console.error(`Failed to initialize Husky. Make sure husky is installed:\n  npm install -D husky\n\nError: ${msg}`);
+            process.exit(1);
+        }
+    }
+    // Create the pre-push hook
+    const hookPath = resolve(huskyDir, "pre-push");
+    await writeFile(hookPath, HOOK_CONTENT, { mode: 0o755 });
+    log("Created .husky/pre-push hook");
+    log("pushguard will now analyze changes before each push.");
+    console.error("");
+    console.error("  Configuration (optional):");
+    console.error('  Add a "pushguard" key to package.json or create .pushguard.json');
+    console.error("");
+}
+//# sourceMappingURL=install.js.map

package/dist/setup/install.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"install.js","sourceRoot":"","sources":["../../src/setup/install.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,GAAG,EAAE,MAAM,uBAAuB,CAAC;AAE5C,MAAM,IAAI,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAEjC,MAAM,YAAY,GAAG,iBAAiB,CAAC;AAEvC,MAAM,CAAC,KAAK,UAAU,IAAI,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IACpD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAExC,2BAA2B;IAC3B,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,GAAG,CAAC,kCAAkC,CAAC,CAAC;QACxC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,GAAG,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,OAAO,CAAC,KAAK,CACX,+FAA+F,GAAG,EAAE,CACrG,CAAC;YACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IAED,2BAA2B;IAC3B,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC/C,MAAM,SAAS,CAAC,QAAQ,EAAE,YAAY,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEzD,GAAG,CAAC,8BAA8B,CAAC,CAAC;IACpC,GAAG,CAAC,sDAAsD,CAAC,CAAC;IAC5D,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAClB,OAAO,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;IAC7C,OAAO,CAAC,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACnF,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;AACpB,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,27 @@
+export interface PushRef {
+    localRef: string;
+    localSha: string;
+    remoteRef: string;
+    remoteSha: string;
+    isNew: boolean;
+    isDelete: boolean;
+}
+export interface AnalysisIssue {
+    severity: "critical" | "high" | "medium" | "low" | "info";
+    category: "security" | "bug" | "logic" | "performance" | "quality" | "style";
+    file?: string;
+    line?: number;
+    message: string;
+    suggestion: string;
+}
+export interface AnalysisResult {
+    verdict: "pass" | "warn" | "fail";
+    summary: string;
+    issues: AnalysisIssue[];
+}
+export interface DiffResult {
+    diff: string;
+    files: string[];
+    truncated: boolean;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,OAAO;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE,OAAO,CAAC;IACf,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC1D,QAAQ,EAAE,UAAU,GAAG,KAAK,GAAG,OAAO,GAAG,aAAa,GAAG,SAAS,GAAG,OAAO,CAAC;IAC7E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,aAAa,EAAE,CAAC;CACzB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,SAAS,EAAE,OAAO,CAAC;CACpB"}

package/dist/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,83 @@
+{
+  "name": "@nektarlabs/pushguard",
+  "version": "1.0.0",
+  "type": "module",
+  "description": "Pre-push hook that analyzes code changes with Claude Code before pushing",
+  "bin": {
+    "pushguard": "./bin/pushguard.js"
+  },
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    },
+    "./package.json": "./package.json"
+  },
+  "files": [
+    "dist",
+    "bin",
+    "README.md",
+    "LICENSE"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "dev": "tsc -p tsconfig.build.json --watch",
+    "lint": "eslint src/",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "prepare": "husky",
+    "prepublishOnly": "pnpm run build",
+    "test": "vitest run"
+  },
+  "lint-staged": {
+    "*.{ts,js}": [
+      "eslint --fix",
+      "prettier --write"
+    ],
+    "*.{json,md,yml,yaml}": [
+      "prettier --write"
+    ]
+  },
+  "peerDependencies": {
+    "husky": ">=9.0.0"
+  },
+  "peerDependenciesMeta": {
+    "husky": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^20.4.4",
+    "@commitlint/config-conventional": "^20.4.4",
+    "@eslint/js": "^10.0.1",
+    "@semantic-release/changelog": "^6.0.3",
+    "@semantic-release/git": "^10.0.1",
+    "@types/node": "^20.0.0",
+    "eslint": "^10.0.3",
+    "lint-staged": "^16.3.3",
+    "prettier": "^3.8.1",
+    "semantic-release": "^25.0.3",
+    "typescript": "^5.5.0",
+    "typescript-eslint": "^8.57.0",
+    "vitest": "^3.0.0"
+  },
+  "keywords": [
+    "git",
+    "hook",
+    "pre-push",
+    "husky",
+    "claude",
+    "code-review",
+    "ai",
+    "security"
+  ],
+  "publishConfig": {
+    "access": "public"
+  },
+  "license": "MIT",
+  "engines": {
+    "node": ">=22.14.0"
+  }
+}