@nerviq/cli 1.26.0 → 1.27.0

package/src/formatters/junit.js

@@ -1,103 +1,123 @@
-/**
- * JUnit XML Formatter
- *
- * Converts a nerviq audit result into Jenkins-compatible JUnit XML.
- * Schema: <testsuites><testsuite><testcase><failure/></testcase></testsuite></testsuites>
- *
- *   - One <testsuite> per check category.
- *   - Each check becomes a <testcase> (classname = category, name = key).
- *   - Failed checks emit a <failure message="..." type="..."/> where:
- *       - message = check.fix || check.name
- *       - type    = severity (check.severity || check.impact)
- *   - Skipped checks emit <skipped/>.
- *
- * Parses with any standard JUnit XML consumer (GitHub Actions test
- * reporter, Jenkins, GitLab CI, CircleCI).
- */
-
-'use strict';
-
-const { version: nerviqVersion } = require('../../package.json');
-
-function escapeXml(value) {
-  if (value === null || value === undefined) return '';
-  return String(value)
-    .replace(/&/g, '&amp;')
-    .replace(/</g, '&lt;')
-    .replace(/>/g, '&gt;')
-    .replace(/"/g, '&quot;')
-    .replace(/'/g, '&apos;');
-}
-
-function severityFor(r) {
-  return r.severity || r.impact || 'medium';
-}
-
-function groupByCategory(results) {
-  const map = new Map();
-  for (const r of results) {
-    const cat = r.category || 'uncategorized';
-    if (!map.has(cat)) map.set(cat, []);
-    map.get(cat).push(r);
-  }
-  return map;
-}
-
-function formatJUnit(auditResult) {
-  const allResults = Array.isArray(auditResult.results) ? auditResult.results : [];
-  const timestamp = auditResult.timestamp || new Date().toISOString();
-  const platform = auditResult.platform || 'claude';
-
-  const totalTests = allResults.length;
-  const totalFailures = allResults.filter((r) => r.passed === false).length;
-  const totalSkipped = allResults.filter((r) => r.passed === null || r.skipped === true).length;
-
-  const byCategory = groupByCategory(allResults);
-
-  const lines = [];
-  lines.push('<?xml version="1.0" encoding="UTF-8"?>');
-  lines.push(
-    `<testsuites name="nerviq" tests="${totalTests}" failures="${totalFailures}" skipped="${totalSkipped}" time="0">`,
-  );
-
-  for (const [category, checks] of byCategory) {
-    const suiteFailures = checks.filter((r) => r.passed === false).length;
-    const suiteSkipped = checks.filter((r) => r.passed === null || r.skipped === true).length;
-    lines.push(
-      `  <testsuite name="${escapeXml(category)}" tests="${checks.length}" failures="${suiteFailures}" skipped="${suiteSkipped}" time="0" timestamp="${escapeXml(timestamp)}" package="nerviq.${escapeXml(platform)}">`,
-    );
-
-    for (const r of checks) {
-      const classname = escapeXml(r.category || 'uncategorized');
-      const name = escapeXml(r.key || r.id || r.name || 'unknown');
-      // CTO-08: surface scope layer as a testcase attribute so JUnit
-      // consumers (GitHub Actions, Jenkins, GitLab) can filter/group.
-      const layerAttr = r.layer ? ` layer="${escapeXml(r.layer)}"` : '';
-      if (r.passed === false) {
-        const msg = escapeXml(r.fix || r.name || r.key || 'check failed');
-        const type = escapeXml(severityFor(r));
-        let body = `${r.name || ''}`;
-        if (r.file) body += ` at ${r.file}${r.line ? ':' + r.line : ''}`;
-        if (r.sourceUrl) body += ` (${r.sourceUrl})`;
-        if (r.snippet) body += `\n---\n${r.snippet}`;
-        lines.push(`    <testcase classname="${classname}" name="${name}"${layerAttr} time="0">`);
-        lines.push(`      <failure message="${msg}" type="${type}">${escapeXml(body)}</failure>`);
-        lines.push(`    </testcase>`);
-      } else if (r.passed === null || r.skipped === true) {
-        lines.push(`    <testcase classname="${classname}" name="${name}"${layerAttr} time="0">`);
-        lines.push(`      <skipped/>`);
-        lines.push(`    </testcase>`);
-      } else {
-        lines.push(`    <testcase classname="${classname}" name="${name}"${layerAttr} time="0"/>`);
-      }
-    }
-
-    lines.push('  </testsuite>');
-  }
-
-  lines.push('</testsuites>');
-  lines.push(`<!-- nerviq v${escapeXml(auditResult.version || nerviqVersion)} -->`);
-  return lines.join('\n');
-}
-
-module.exports = { formatJUnit };
+/**
+ * JUnit XML Formatter
+ *
+ * Converts a nerviq audit result into Jenkins-compatible JUnit XML.
+ * Schema: <testsuites><testsuite><testcase><failure/></testcase></testsuite></testsuites>
+ *
+ *   - One <testsuite> per check category.
+ *   - Each check becomes a <testcase> (classname = category, name = key).
+ *   - Failed checks emit a <failure message="..." type="..."/> where:
+ *       - message = check.fix || check.name
+ *       - type    = severity (check.severity || check.impact)
+ *   - Skipped checks emit <skipped/>.
+ *
+ * Parses with any standard JUnit XML consumer (GitHub Actions test
+ * reporter, Jenkins, GitLab CI, CircleCI).
+ */
+
+'use strict';
+
+const { version: nerviqVersion } = require('../../package.json');
+
+function escapeXml(value) {
+  if (value === null || value === undefined) return '';
+  return String(value)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&apos;');
+}
+
+function severityFor(r) {
+  return r.severity || r.impact || 'medium';
+}
+
+function groupByCategory(results) {
+  const map = new Map();
+  for (const r of results) {
+    const cat = r.category || 'uncategorized';
+    if (!map.has(cat)) map.set(cat, []);
+    map.get(cat).push(r);
+  }
+  return map;
+}
+
+function formatJUnit(auditResult) {
+  const allResults = Array.isArray(auditResult.results) ? auditResult.results : [];
+  const shallowRiskHints = Array.isArray(auditResult.shallowRiskHints) ? auditResult.shallowRiskHints : [];
+  const timestamp = auditResult.timestamp || new Date().toISOString();
+  const platform = auditResult.platform || 'claude';
+
+  const totalTests = allResults.length + shallowRiskHints.length;
+  const totalFailures = allResults.filter((r) => r.passed === false).length + shallowRiskHints.length;
+  const totalSkipped = allResults.filter((r) => r.passed === null || r.skipped === true).length;
+
+  const byCategory = groupByCategory(allResults);
+
+  const lines = [];
+  lines.push('<?xml version="1.0" encoding="UTF-8"?>');
+  lines.push(
+    `<testsuites name="nerviq" tests="${totalTests}" failures="${totalFailures}" skipped="${totalSkipped}" time="0">`,
+  );
+
+  for (const [category, checks] of byCategory) {
+    const suiteFailures = checks.filter((r) => r.passed === false).length;
+    const suiteSkipped = checks.filter((r) => r.passed === null || r.skipped === true).length;
+    lines.push(
+      `  <testsuite name="${escapeXml(category)}" tests="${checks.length}" failures="${suiteFailures}" skipped="${suiteSkipped}" time="0" timestamp="${escapeXml(timestamp)}" package="nerviq.${escapeXml(platform)}">`,
+    );
+
+    for (const r of checks) {
+      const classname = escapeXml(r.category || 'uncategorized');
+      const name = escapeXml(r.key || r.id || r.name || 'unknown');
+      // CTO-08: surface scope layer as a testcase attribute so JUnit
+      // consumers (GitHub Actions, Jenkins, GitLab) can filter/group.
+      const layerAttr = r.layer ? ` layer="${escapeXml(r.layer)}"` : '';
+      if (r.passed === false) {
+        const msg = escapeXml(r.fix || r.name || r.key || 'check failed');
+        const type = escapeXml(severityFor(r));
+        let body = `${r.name || ''}`;
+        if (r.file) body += ` at ${r.file}${r.line ? ':' + r.line : ''}`;
+        if (r.sourceUrl) body += ` (${r.sourceUrl})`;
+        if (r.snippet) body += `\n---\n${r.snippet}`;
+        lines.push(`    <testcase classname="${classname}" name="${name}"${layerAttr} time="0">`);
+        lines.push(`      <failure message="${msg}" type="${type}">${escapeXml(body)}</failure>`);
+        lines.push(`    </testcase>`);
+      } else if (r.passed === null || r.skipped === true) {
+        lines.push(`    <testcase classname="${classname}" name="${name}"${layerAttr} time="0">`);
+        lines.push(`      <skipped/>`);
+        lines.push(`    </testcase>`);
+      } else {
+        lines.push(`    <testcase classname="${classname}" name="${name}"${layerAttr} time="0"/>`);
+      }
+    }
+
+    lines.push('  </testsuite>');
+  }
+
+  if (Array.isArray(auditResult.shallowRiskHints)) {
+    lines.push(
+      `  <testsuite name="shallow-risk" tests="${shallowRiskHints.length}" failures="${shallowRiskHints.length}" skipped="0" time="0" timestamp="${escapeXml(timestamp)}" package="nerviq.${escapeXml(platform)}.shallow-risk">`,
+    );
+    for (const hint of shallowRiskHints) {
+      const name = escapeXml(hint.key || hint.name || 'shallow-risk');
+      const msg = escapeXml(hint.fix || hint.name || hint.key || 'shallow risk hint');
+      const type = escapeXml(severityFor(hint));
+      let body = `${hint.name || hint.key || ''}`;
+      if (hint.file) body += ` at ${hint.file}${hint.line ? ':' + hint.line : ''}`;
+      if (hint.sourceUrl) body += ` (${hint.sourceUrl})`;
+      if (hint.snippet) body += `\n---\n${hint.snippet}`;
+      lines.push(`    <testcase classname="shallow-risk" name="${name}" layer="shallow-risk" time="0">`);
+      lines.push(`      <failure message="${msg}" type="${type}">${escapeXml(body)}</failure>`);
+      lines.push('    </testcase>');
+    }
+    lines.push('  </testsuite>');
+  }
+
+  lines.push('</testsuites>');
+  lines.push(`<!-- nerviq v${escapeXml(auditResult.version || nerviqVersion)} -->`);
+  return lines.join('\n');
+}
+
+module.exports = { formatJUnit };

package/src/formatters/markdown.js

@@ -1,135 +1,164 @@
-/**
- * Markdown Formatter
- *
- * Converts a nerviq audit result into GitHub-flavoured markdown suitable
- * for posting as a PR comment. Structure:
- *
- *   - Header with score badge and pass/fail/skip counts
- *   - Top 5 topNextActions as a GitHub task-list checklist
- *   - Collapsible <details> block with the full failed-checks table
- *   - Footer with Nerviq link, version, timestamp
- *
- * Output is plain GitHub-flavoured markdown. The only HTML used is
- * <details>/<summary>, which GitHub renders natively.
- */
-
-'use strict';
-
-const { version: nerviqVersion } = require('../../package.json');
-
-function escapeCell(value) {
-  if (value === null || value === undefined) return '';
-  return String(value)
-    .replace(/\r?\n/g, ' ')
-    .replace(/\|/g, '\\|');
-}
-
-function escapeInline(value) {
-  if (value === null || value === undefined) return '';
-  return String(value).replace(/\r?\n/g, ' ');
-}
-
-function scoreBadge(score) {
-  const s = Number.isFinite(score) ? Math.round(score) : 0;
-  let color;
-  if (s >= 80) color = 'brightgreen';
-  else if (s >= 60) color = 'yellow';
-  else color = 'red';
-  return `![score](https://img.shields.io/badge/nerviq_score-${s}%2F100-${color})`;
-}
-
-function severityFor(item) {
-  return item.severity || item.impact || 'medium';
-}
-
-function formatMarkdown(auditResult, options = {}) {
-  const platformLabel = auditResult.platformLabel || auditResult.platform || 'claude';
-  const score = auditResult.score ?? 0;
-  const passed = auditResult.passed ?? 0;
-  const failed = auditResult.failed ?? 0;
-  const skipped = auditResult.skipped ?? 0;
-  const version = auditResult.version || nerviqVersion;
-  const timestamp = auditResult.timestamp || new Date().toISOString();
-
-  const lines = [];
-
-  lines.push(`## Score: ${score}/100 ${scoreBadge(score)}`);
-  lines.push('');
-  lines.push(`**Platform:** ${platformLabel}  `);
-  lines.push(`**Checks:** ${passed} passed, ${failed} failed, ${skipped} skipped`);
-  lines.push('');
-
-  const top = Array.isArray(auditResult.topNextActions)
-    ? auditResult.topNextActions.slice(0, 5)
-    : [];
-
-  if (top.length > 0) {
-    lines.push('### Top next actions');
-    lines.push('');
-    for (const item of top) {
-      const sev = severityFor(item).toString().toUpperCase();
-      const title = escapeInline(item.name || item.title || item.key);
-      const key = escapeInline(item.key || item.id || '');
-      let loc = '';
-      if (item.file) {
-        loc = ` — \`${escapeInline(item.file)}${item.line ? ':' + item.line : ''}\``;
-      }
-      let delta = '';
-      if (Number.isFinite(item.projectedScoreDelta) && item.projectedScoreDelta > 0) {
-        delta = ` (+${item.projectedScoreDelta} pts → ${item.projectedScoreAfter}/100)`;
-      }
-      // CTO-08: include scope layer as a small suffix after the key so
-      // evaluators see which layer each next-action belongs to.
-      const layerSuffix = item.layer ? ` · _layer: ${escapeInline(item.layer)}_` : '';
-      lines.push(`- [ ] **[${sev}] ${title}** (\`${key}\`)${loc}${delta}${layerSuffix}`);
-      const hint = item.fix || item.hint || '';
-      if (hint) {
-        lines.push(`  - ${escapeInline(hint)}`);
-      }
-      if (item.snippet) {
-        lines.push('');
-        lines.push('  ```');
-        for (const snipLine of String(item.snippet).split(/\r?\n/)) {
-          lines.push(`  ${snipLine}`);
-        }
-        lines.push('  ```');
-      }
-    }
-    lines.push('');
-  }
-
-  const failedResults = Array.isArray(auditResult.results)
-    ? auditResult.results.filter((r) => r.passed === false)
-    : [];
-
-  if (failedResults.length > 0) {
-    lines.push('<details>');
-    lines.push(`<summary>All failed checks (${failedResults.length})</summary>`);
-    lines.push('');
-    // CTO-08: add layer column between category and rating.
-    lines.push('| key | name | category | layer | rating | file | line |');
-    lines.push('| --- | --- | --- | --- | --- | --- | --- |');
-    for (const r of failedResults) {
-      const row = [
-        escapeCell(r.key),
-        escapeCell(r.name),
-        escapeCell(r.category),
-        escapeCell(r.layer || ''),
-        escapeCell(r.rating ?? ''),
-        escapeCell(r.file || ''),
-        escapeCell(r.line || ''),
-      ];
-      lines.push(`| ${row.join(' | ')} |`);
-    }
-    lines.push('');
-    lines.push('</details>');
-    lines.push('');
-  }
-
-  lines.push(`---`);
-  lines.push(`Generated by [Nerviq](https://nerviq.net) v${version} · ${timestamp}`);
-
-  return lines.join('\n');
-}
-
-module.exports = { formatMarkdown };
+/**
+ * Markdown Formatter
+ *
+ * Converts a nerviq audit result into GitHub-flavoured markdown suitable
+ * for posting as a PR comment. Structure:
+ *
+ *   - Header with score badge and pass/fail/skip counts
+ *   - Top 5 topNextActions as a GitHub task-list checklist
+ *   - Collapsible <details> block with the full failed-checks table
+ *   - Footer with Nerviq link, version, timestamp
+ *
+ * Output is plain GitHub-flavoured markdown. The only HTML used is
+ * <details>/<summary>, which GitHub renders natively.
+ */
+
+'use strict';
+
+const { version: nerviqVersion } = require('../../package.json');
+const { SHALLOW_RISK_BANNER_LINES } = require('../shallow-risk');
+
+function escapeCell(value) {
+  if (value === null || value === undefined) return '';
+  return String(value)
+    .replace(/\r?\n/g, ' ')
+    .replace(/\|/g, '\\|');
+}
+
+function escapeInline(value) {
+  if (value === null || value === undefined) return '';
+  return String(value).replace(/\r?\n/g, ' ');
+}
+
+function scoreBadge(score) {
+  const s = Number.isFinite(score) ? Math.round(score) : 0;
+  let color;
+  if (s >= 80) color = 'brightgreen';
+  else if (s >= 60) color = 'yellow';
+  else color = 'red';
+  return `![score](https://img.shields.io/badge/nerviq_score-${s}%2F100-${color})`;
+}
+
+function severityFor(item) {
+  return item.severity || item.impact || 'medium';
+}
+
+function formatMarkdown(auditResult, options = {}) {
+  const platformLabel = auditResult.platformLabel || auditResult.platform || 'claude';
+  const score = auditResult.score ?? 0;
+  const passed = auditResult.passed ?? 0;
+  const failed = auditResult.failed ?? 0;
+  const skipped = auditResult.skipped ?? 0;
+  const version = auditResult.version || nerviqVersion;
+  const timestamp = auditResult.timestamp || new Date().toISOString();
+
+  const lines = [];
+
+  lines.push(`## Score: ${score}/100 ${scoreBadge(score)}`);
+  lines.push('');
+  lines.push(`**Platform:** ${platformLabel}  `);
+  lines.push(`**Checks:** ${passed} passed, ${failed} failed, ${skipped} skipped`);
+  lines.push('');
+
+  const top = Array.isArray(auditResult.topNextActions)
+    ? auditResult.topNextActions.slice(0, 5)
+    : [];
+
+  if (top.length > 0) {
+    lines.push('### Top next actions');
+    lines.push('');
+    for (const item of top) {
+      const sev = severityFor(item).toString().toUpperCase();
+      const title = escapeInline(item.name || item.title || item.key);
+      const key = escapeInline(item.key || item.id || '');
+      let loc = '';
+      if (item.file) {
+        loc = ` — \`${escapeInline(item.file)}${item.line ? ':' + item.line : ''}\``;
+      }
+      let delta = '';
+      if (Number.isFinite(item.projectedScoreDelta) && item.projectedScoreDelta > 0) {
+        delta = ` (+${item.projectedScoreDelta} pts → ${item.projectedScoreAfter}/100)`;
+      }
+      // CTO-08: include scope layer as a small suffix after the key so
+      // evaluators see which layer each next-action belongs to.
+      const layerSuffix = item.layer ? ` · _layer: ${escapeInline(item.layer)}_` : '';
+      lines.push(`- [ ] **[${sev}] ${title}** (\`${key}\`)${loc}${delta}${layerSuffix}`);
+      const hint = item.fix || item.hint || '';
+      if (hint) {
+        lines.push(`  - ${escapeInline(hint)}`);
+      }
+      if (item.snippet) {
+        lines.push('');
+        lines.push('  ```');
+        for (const snipLine of String(item.snippet).split(/\r?\n/)) {
+          lines.push(`  ${snipLine}`);
+        }
+        lines.push('  ```');
+      }
+    }
+    lines.push('');
+  }
+
+  if (Array.isArray(auditResult.shallowRiskHints)) {
+    lines.push('### Shallow Risk (experimental, opt-in)');
+    lines.push('');
+    for (const line of SHALLOW_RISK_BANNER_LINES) {
+      lines.push(`> ${line}`);
+    }
+    lines.push('');
+
+    if (auditResult.shallowRiskHints.length === 0) {
+      lines.push('_No shallow-risk hints found._');
+      lines.push('');
+    } else {
+      for (const item of auditResult.shallowRiskHints) {
+        const sev = severityFor(item).toString().toUpperCase();
+        const title = escapeInline(item.name || item.title || item.key);
+        let loc = '';
+        if (item.file) {
+          loc = ` — \`${escapeInline(item.file)}${item.line ? ':' + item.line : ''}\``;
+        }
+        lines.push(`- **[${sev}] ${title}** (\`${escapeInline(item.key || '')}\`)${loc}`);
+        if (item.fix) {
+          lines.push(`  - ${escapeInline(item.fix)}`);
+        }
+      }
+      lines.push('');
+    }
+  }
+
+  const failedResults = Array.isArray(auditResult.results)
+    ? auditResult.results.filter((r) => r.passed === false)
+    : [];
+
+  if (failedResults.length > 0) {
+    lines.push('<details>');
+    lines.push(`<summary>All failed checks (${failedResults.length})</summary>`);
+    lines.push('');
+    // CTO-08: add layer column between category and rating.
+    lines.push('| key | name | category | layer | rating | file | line |');
+    lines.push('| --- | --- | --- | --- | --- | --- | --- |');
+    for (const r of failedResults) {
+      const row = [
+        escapeCell(r.key),
+        escapeCell(r.name),
+        escapeCell(r.category),
+        escapeCell(r.layer || ''),
+        escapeCell(r.rating ?? ''),
+        escapeCell(r.file || ''),
+        escapeCell(r.line || ''),
+      ];
+      lines.push(`| ${row.join(' | ')} |`);
+    }
+    lines.push('');
+    lines.push('</details>');
+    lines.push('');
+  }
+
+  lines.push(`---`);
+  lines.push(`Generated by [Nerviq](https://nerviq.net) v${version} · ${timestamp}`);
+
+  return lines.join('\n');
+}
+
+module.exports = { formatMarkdown };

package/src/shallow-risk/index.js

@@ -0,0 +1,56 @@
+'use strict';
+
+const { buildFinding, SHALLOW_RISK_BANNER, SHALLOW_RISK_BANNER_LINES } = require('./shared');
+
+const patterns = [
+  require('./patterns/agent-config-missing-file'),
+  require('./patterns/agent-config-stack-contradiction'),
+  require('./patterns/agent-config-cross-platform-drift'),
+  require('./patterns/mcp-server-no-allowlist'),
+  require('./patterns/hook-script-missing'),
+  require('./patterns/agent-config-secret-literal'),
+  require('./patterns/agent-config-deprecated-keys'),
+  require('./patterns/agent-config-dangerous-autoapprove'),
+];
+
+function runShallowRisk(ctx) {
+  if (!ctx || process.env.NERVIQ_SHALLOW_RISK === 'off') {
+    return [];
+  }
+
+  const findings = [];
+  const seen = new Set();
+
+  for (const pattern of patterns) {
+    let emitted = [];
+    try {
+      const next = pattern.run(ctx);
+      emitted = Array.isArray(next) ? next : [];
+    } catch {
+      emitted = [];
+    }
+
+    for (const finding of emitted) {
+      const normalized = buildFinding(pattern, ctx, finding || {});
+      const dedupeKey = [
+        normalized.key,
+        normalized.file || '',
+        normalized.line || '',
+        normalized.fix || '',
+      ].join('|');
+
+      if (seen.has(dedupeKey)) continue;
+      seen.add(dedupeKey);
+      findings.push(normalized);
+    }
+  }
+
+  return findings;
+}
+
+module.exports = {
+  patterns,
+  runShallowRisk,
+  SHALLOW_RISK_BANNER,
+  SHALLOW_RISK_BANNER_LINES,
+};

package/src/shallow-risk/patterns/agent-config-cross-platform-drift.js

@@ -0,0 +1,50 @@
+'use strict';
+
+const {
+  SHALLOW_RISK_DOC_URL,
+  collectStackClaims,
+} = require('../shared');
+
+module.exports = {
+  key: 'agent-config-cross-platform-drift',
+  name: 'Cross-platform stack drift detected',
+  severity: 'high',
+  layer: 'shallow-risk',
+  sourceUrl: SHALLOW_RISK_DOC_URL,
+  run(ctx) {
+    const claims = collectStackClaims(ctx).filter((claim) => claim.platform !== 'agent');
+    if (claims.length < 2) return [];
+
+    const byPlatform = new Map();
+    for (const claim of claims) {
+      const bucket = byPlatform.get(claim.platform) || [];
+      bucket.push(claim);
+      byPlatform.set(claim.platform, bucket);
+    }
+
+    const representatives = [];
+    for (const bucket of byPlatform.values()) {
+      const uniqueKeys = [...new Set(bucket.map((claim) => claim.key))];
+      if (uniqueKeys.length !== 1) continue;
+      representatives.push(bucket[0]);
+    }
+
+    representatives.sort((left, right) => left.file.localeCompare(right.file));
+
+    for (let index = 0; index < representatives.length; index++) {
+      for (let inner = index + 1; inner < representatives.length; inner++) {
+        const first = representatives[index];
+        const second = representatives[inner];
+        if (first.key === second.key) continue;
+
+        return [{
+          file: first.file,
+          line: first.line,
+          fix: `Drift detected: ${first.file} declares "${first.label}" while ${second.file} declares "${second.label}". Align the shared primary-language guidance or document an intentional platform-specific override.`,
+        }];
+      }
+    }
+
+    return [];
+  },
+};