@oddessentials/odd-ai-reviewers 1.10.1 → 1.12.0

package/dist/report/user-suppressions.d.ts

@@ -0,0 +1,74 @@
+/**
+ * User-Configurable Suppressions (FR-022)
+ *
+ * Stage 1.25 in the finding pipeline: applies user-defined suppression rules
+ * from .ai-review.yml configuration. Runs after semantic validation (Stage 1)
+ * and before framework convention filter (Stage 1.5).
+ *
+ * Security: In CI mode, rules are loaded from the BASE branch config to prevent
+ * attackers from smuggling suppressions into fork PRs.
+ */
+import type { Finding } from '../agents/types.js';
+import { type SuppressionRule, type Suppressions } from '../config/schemas.js';
+export interface SuppressionMatchResult {
+    finding: Finding;
+    rule: SuppressionRule;
+    ruleIndex: number;
+}
+export interface UserSuppressionResult {
+    /** Findings that passed all suppression rules */
+    filtered: Finding[];
+    /** Findings that were suppressed with their matching rule */
+    suppressed: SuppressionMatchResult[];
+    /** Per-rule match count (keyed by rule index) */
+    matchCounts: Map<number, number>;
+}
+export type SuppressionMode = 'ci' | 'local';
+export interface BreadthViolation {
+    ruleIndex: number;
+    reason: string;
+    matchCount: number;
+    limit: number;
+    hasOverride: boolean;
+}
+/**
+ * Filter findings through user-defined suppression rules.
+ * First matching rule wins (no multi-rule accumulation).
+ */
+export declare function filterUserSuppressions(findings: Finding[], rules: SuppressionRule[]): UserSuppressionResult;
+/**
+ * Check breadth limits on suppression match counts.
+ * Returns violations that should cause failures (CI) or warnings (local).
+ */
+export declare function checkBreadthLimits(rules: SuppressionRule[], matchCounts: Map<number, number>): BreadthViolation[];
+/**
+ * Check if a breadth-override rule is authorized to suppress error-severity findings.
+ * Returns violations for unauthorized error-severity suppressions.
+ */
+export declare function checkErrorSeverityOverrides(rules: SuppressionRule[], suppressedResults: SuppressionMatchResult[], securityOverrideAllowlist: string[]): BreadthViolation[];
+/**
+ * Enforce breadth limits based on mode.
+ * In CI mode: throws Error for violations.
+ * In local mode: logs warnings only.
+ */
+export declare function enforceBreadthLimits(rules: SuppressionRule[], result: UserSuppressionResult, mode: SuppressionMode, securityOverrideAllowlist: string[]): void;
+/**
+ * Build suppression match count summary for JSON output.
+ */
+export declare function buildSuppressionSummary(rules: SuppressionRule[], matchCounts: Map<number, number>): {
+    reason: string;
+    matched: number;
+}[];
+/**
+ * Load suppressions from the base branch config via `git show`.
+ *
+ * Security (FR-022): In CI mode, suppression rules MUST be loaded from the
+ * BASE branch configuration only, never from the PR branch. This prevents
+ * attackers from smuggling suppressions into fork PRs to hide vulnerabilities.
+ *
+ * @param repoPath - Path to the git repository
+ * @param baseRef - Base branch ref (e.g., 'origin/main', a SHA)
+ * @returns Parsed suppressions, or empty defaults if base has no config/suppressions
+ */
+export declare function loadBaseBranchSuppressions(repoPath: string, baseRef: string): Suppressions;
+//# sourceMappingURL=user-suppressions.d.ts.map

package/dist/report/user-suppressions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-suppressions.d.ts","sourceRoot":"","sources":["../../src/report/user-suppressions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAAsB,KAAK,eAAe,EAAE,KAAK,YAAY,EAAE,MAAM,sBAAsB,CAAC;AASnG,MAAM,WAAW,sBAAsB;IACrC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,EAAE,eAAe,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,qBAAqB;IACpC,iDAAiD;IACjD,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,6DAA6D;IAC7D,UAAU,EAAE,sBAAsB,EAAE,CAAC;IACrC,iDAAiD;IACjD,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED,MAAM,MAAM,eAAe,GAAG,IAAI,GAAG,OAAO,CAAC;AAE7C,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,OAAO,CAAC;CACtB;AA4CD;;;GAGG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,OAAO,EAAE,EACnB,KAAK,EAAE,eAAe,EAAE,GACvB,qBAAqB,CAqCvB;AASD;;;GAGG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,eAAe,EAAE,EACxB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B,gBAAgB,EAAE,CAuBpB;AAED;;;GAGG;AACH,wBAAgB,2BAA2B,CACzC,KAAK,EAAE,eAAe,EAAE,EACxB,iBAAiB,EAAE,sBAAsB,EAAE,EAC3C,yBAAyB,EAAE,MAAM,EAAE,GAClC,gBAAgB,EAAE,CA8BpB;AAED;;;;GAIG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,eAAe,EAAE,EACxB,MAAM,EAAE,qBAAqB,EAC7B,IAAI,EAAE,eAAe,EACrB,yBAAyB,EAAE,MAAM,EAAE,GAClC,IAAI,CA0DN;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,eAAe,EAAE,EACxB,WAAW,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAC/B;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EAAE,CAUvC;AAMD;;;;;;;;;;GAUG;AACH,wBAAgB,0BAA0B,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,YAAY,CAsD1F"}

package/dist/report/user-suppressions.js

@@ -0,0 +1,264 @@
+/**
+ * User-Configurable Suppressions (FR-022)
+ *
+ * Stage 1.25 in the finding pipeline: applies user-defined suppression rules
+ * from .ai-review.yml configuration. Runs after semantic validation (Stage 1)
+ * and before framework convention filter (Stage 1.5).
+ *
+ * Security: In CI mode, rules are loaded from the BASE branch config to prevent
+ * attackers from smuggling suppressions into fork PRs.
+ */
+import { execFileSync } from 'child_process';
+import { parse as parseYaml } from 'yaml';
+import { minimatch } from 'minimatch';
+import { SuppressionsSchema } from '../config/schemas.js';
+import { ConfigError, ConfigErrorCode } from '../types/errors.js';
+import { SafeGitRefHelpers } from '../types/branded.js';
+import { isOk } from '../types/result.js';
+// =============================================================================
+// Matching Logic
+// =============================================================================
+/**
+ * Test if a suppression rule matches a finding.
+ * All specified criteria must match (AND logic).
+ */
+function ruleMatchesFinding(rule, finding) {
+    // Rule ID: glob match
+    if (rule.rule !== undefined) {
+        const ruleId = finding.ruleId ?? '';
+        if (!minimatch(ruleId, rule.rule))
+            return false;
+    }
+    // Message: anchored regex (validated at config load: must start with ^ and end with $)
+    if (rule.message !== undefined) {
+        try {
+            // SAFETY: rule.message is validated by SuppressionRuleSchema to be fully anchored (^...$).
+            // eslint-disable-next-line security/detect-non-literal-regexp
+            const regex = new RegExp(rule.message);
+            if (!regex.test(finding.message))
+                return false;
+        }
+        catch {
+            // Invalid regex — treat as non-match (validated at config time)
+            return false;
+        }
+    }
+    // File: glob match
+    if (rule.file !== undefined) {
+        const filePath = finding.file ?? '';
+        if (!minimatch(filePath, rule.file))
+            return false;
+    }
+    // Severity: exact match
+    if (rule.severity !== undefined) {
+        if (finding.severity !== rule.severity)
+            return false;
+    }
+    return true;
+}
+/**
+ * Filter findings through user-defined suppression rules.
+ * First matching rule wins (no multi-rule accumulation).
+ */
+export function filterUserSuppressions(findings, rules) {
+    if (rules.length === 0) {
+        return { filtered: [...findings], suppressed: [], matchCounts: new Map() };
+    }
+    const filtered = [];
+    const suppressed = [];
+    const matchCounts = new Map();
+    // Initialize counts
+    for (let i = 0; i < rules.length; i++) {
+        matchCounts.set(i, 0);
+    }
+    for (const finding of findings) {
+        let wasSuppressed = false;
+        for (let i = 0; i < rules.length; i++) {
+            const rule = rules[i];
+            if (ruleMatchesFinding(rule, finding)) {
+                suppressed.push({ finding, rule, ruleIndex: i });
+                matchCounts.set(i, (matchCounts.get(i) ?? 0) + 1);
+                wasSuppressed = true;
+                // Diagnostics go to stderr to avoid corrupting JSON/SARIF stdout output
+                console.error(`[router] [user-suppression] Suppressed: ${finding.file}:${finding.line ?? '?'} — rule: "${rule.reason}"`);
+                break; // First matching rule wins
+            }
+        }
+        if (!wasSuppressed) {
+            filtered.push(finding);
+        }
+    }
+    return { filtered, suppressed, matchCounts };
+}
+// =============================================================================
+// Breadth Enforcement
+// =============================================================================
+const DEFAULT_BREADTH_LIMIT = 20;
+const OVERRIDE_BREADTH_LIMIT = 200;
+/**
+ * Check breadth limits on suppression match counts.
+ * Returns violations that should cause failures (CI) or warnings (local).
+ */
+export function checkBreadthLimits(rules, matchCounts) {
+    const violations = [];
+    for (let i = 0; i < rules.length; i++) {
+        const rule = rules[i];
+        const count = matchCounts.get(i) ?? 0;
+        if (count === 0)
+            continue;
+        const hasOverride = rule.breadth_override === true;
+        const limit = hasOverride ? OVERRIDE_BREADTH_LIMIT : DEFAULT_BREADTH_LIMIT;
+        if (count > limit) {
+            violations.push({
+                ruleIndex: i,
+                reason: rule.reason,
+                matchCount: count,
+                limit,
+                hasOverride,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * Check if a breadth-override rule is authorized to suppress error-severity findings.
+ * Returns violations for unauthorized error-severity suppressions.
+ */
+export function checkErrorSeverityOverrides(rules, suppressedResults, securityOverrideAllowlist) {
+    const violations = [];
+    // Group suppressed findings by rule index
+    const suppressedByRule = new Map();
+    for (const result of suppressedResults) {
+        const existing = suppressedByRule.get(result.ruleIndex) ?? [];
+        existing.push(result);
+        suppressedByRule.set(result.ruleIndex, existing);
+    }
+    for (let i = 0; i < rules.length; i++) {
+        const rule = rules[i];
+        if (!rule.breadth_override)
+            continue;
+        const ruleSuppressions = suppressedByRule.get(i) ?? [];
+        const hasErrorSeverity = ruleSuppressions.some((s) => s.finding.severity === 'error');
+        if (hasErrorSeverity && !securityOverrideAllowlist.includes(rule.reason)) {
+            violations.push({
+                ruleIndex: i,
+                reason: rule.reason,
+                matchCount: ruleSuppressions.length,
+                limit: DEFAULT_BREADTH_LIMIT,
+                hasOverride: true,
+            });
+        }
+    }
+    return violations;
+}
+/**
+ * Enforce breadth limits based on mode.
+ * In CI mode: throws Error for violations.
+ * In local mode: logs warnings only.
+ */
+export function enforceBreadthLimits(rules, result, mode, securityOverrideAllowlist) {
+    const breadthViolations = checkBreadthLimits(rules, result.matchCounts);
+    const errorSeverityViolations = checkErrorSeverityOverrides(rules, result.suppressed, securityOverrideAllowlist);
+    const allViolations = [...breadthViolations, ...errorSeverityViolations];
+    if (allViolations.length === 0) {
+        // Log overrides that are within limits
+        for (let i = 0; i < rules.length; i++) {
+            const rule = rules[i];
+            const count = result.matchCounts.get(i) ?? 0;
+            if (rule.breadth_override && count > DEFAULT_BREADTH_LIMIT) {
+                console.error(`[router] [user-suppression] Broad suppression override: '${rule.reason}' approved by ${rule.approved_by ?? 'unknown'} — matched ${count} findings`);
+            }
+        }
+        return;
+    }
+    if (mode === 'local') {
+        for (const v of allViolations) {
+            console.warn(`[router] [user-suppression] Warning: Suppression rule '${v.reason}' matched ${v.matchCount} findings (limit: ${v.limit})`);
+        }
+        return;
+    }
+    // CI mode: fail on violations — error-severity violations take precedence
+    // FR-022: Breadth violations produce exit code 2 (config_error) via ConfigError
+    if (errorSeverityViolations.length > 0) {
+        const v = errorSeverityViolations[0];
+        throw new ConfigError(`Breadth override on rule '${v.reason}' cannot suppress error-severity findings — add to security_override_allowlist to authorize`, ConfigErrorCode.INVALID_VALUE, { field: 'suppressions.rules' });
+    }
+    const firstViolation = allViolations[0];
+    if (firstViolation.hasOverride) {
+        throw new ConfigError(`Suppression rule '${firstViolation.reason}' matched ${firstViolation.matchCount} findings (limit: ${firstViolation.limit}). Override limit exceeded.`, ConfigErrorCode.INVALID_VALUE, { field: 'suppressions.rules' });
+    }
+    throw new ConfigError(`Suppression rule '${firstViolation.reason}' matched ${firstViolation.matchCount} findings (limit: ${firstViolation.limit}). Add \`breadth_override: true\` to this rule to allow broad suppression.`, ConfigErrorCode.INVALID_VALUE, { field: 'suppressions.rules' });
+}
+/**
+ * Build suppression match count summary for JSON output.
+ */
+export function buildSuppressionSummary(rules, matchCounts) {
+    const summary = [];
+    for (let i = 0; i < rules.length; i++) {
+        const rule = rules[i];
+        const count = matchCounts.get(i) ?? 0;
+        if (count > 0) {
+            summary.push({ reason: rule.reason, matched: count });
+        }
+    }
+    return summary;
+}
+// =============================================================================
+// Base-Branch Suppression Loading (CI Security)
+// =============================================================================
+/**
+ * Load suppressions from the base branch config via `git show`.
+ *
+ * Security (FR-022): In CI mode, suppression rules MUST be loaded from the
+ * BASE branch configuration only, never from the PR branch. This prevents
+ * attackers from smuggling suppressions into fork PRs to hide vulnerabilities.
+ *
+ * @param repoPath - Path to the git repository
+ * @param baseRef - Base branch ref (e.g., 'origin/main', a SHA)
+ * @returns Parsed suppressions, or empty defaults if base has no config/suppressions
+ */
+export function loadBaseBranchSuppressions(repoPath, baseRef) {
+    const emptySuppressions = {
+        rules: [],
+        disable_matchers: [],
+        security_override_allowlist: [],
+    };
+    // Defense-in-depth: validate baseRef before passing to git
+    const refResult = SafeGitRefHelpers.parse(baseRef);
+    if (!isOk(refResult)) {
+        console.warn(`[router] [user-suppression] Invalid base ref, skipping suppression loading: ${baseRef}`);
+        return emptySuppressions;
+    }
+    try {
+        const configContent = execFileSync('git', ['show', `${refResult.value}:.ai-review.yml`], {
+            cwd: repoPath,
+            encoding: 'utf-8',
+            stdio: ['pipe', 'pipe', 'pipe'],
+            timeout: 10000,
+        });
+        const parsed = parseYaml(configContent);
+        if (!parsed || typeof parsed !== 'object' || !('suppressions' in parsed)) {
+            console.error('[router] [user-suppression] Base branch config has no suppressions section');
+            return emptySuppressions;
+        }
+        const result = SuppressionsSchema.safeParse(parsed['suppressions']);
+        if (!result.success) {
+            console.warn(`[router] [user-suppression] Base branch suppressions invalid, ignoring: ${result.error.message}`);
+            return emptySuppressions;
+        }
+        console.error(`[router] [user-suppression] Loaded ${result.data.rules.length} suppression rule(s) from base branch (${baseRef})`);
+        return result.data;
+    }
+    catch (error) {
+        // git show fails when config doesn't exist on base branch — expected
+        const message = error instanceof Error ? error.message : String(error);
+        if (message.includes('does not exist') || message.includes('fatal:')) {
+            console.error('[router] [user-suppression] No .ai-review.yml on base branch — no suppressions active');
+        }
+        else {
+            console.warn(`[router] [user-suppression] Failed to load base branch config: ${message}`);
+        }
+        return emptySuppressions;
+    }
+}
+//# sourceMappingURL=user-suppressions.js.map

package/dist/report/user-suppressions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-suppressions.js","sourceRoot":"","sources":["../../src/report/user-suppressions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,KAAK,IAAI,SAAS,EAAE,MAAM,MAAM,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,OAAO,EAAE,kBAAkB,EAA2C,MAAM,sBAAsB,CAAC;AACnG,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AAClE,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,IAAI,EAAE,MAAM,oBAAoB,CAAC;AA+B1C,gFAAgF;AAChF,iBAAiB;AACjB,gFAAgF;AAEhF;;;GAGG;AACH,SAAS,kBAAkB,CAAC,IAAqB,EAAE,OAAgB;IACjE,sBAAsB;IACtB,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IAClD,CAAC;IAED,uFAAuF;IACvF,IAAI,IAAI,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,2FAA2F;YAC3F,8DAA8D;YAC9D,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC;gBAAE,OAAO,KAAK,CAAC;QACjD,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;YAChE,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,mBAAmB;IACnB,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,IAAI,CAAC;YAAE,OAAO,KAAK,CAAC;IACpD,CAAC;IAED,wBAAwB;IACxB,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAChC,IAAI,OAAO,CAAC,QAAQ,KAAK,IAAI,CAAC,QAAQ;YAAE,OAAO,KAAK,CAAC;IACvD,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAAmB,EACnB,KAAwB;IAExB,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,EAAE,QAAQ,EAAE,CAAC,GAAG,QAAQ,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,WAAW,EAAE,IAAI,GAAG,EAAE,EAAE,CAAC;IAC7E,CAAC;IAED,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,UAAU,GAA6B,EAAE,CAAC;IAChD,MAAM,WAAW,GAAG,IAAI,GAAG,EAAkB,CAAC;IAE9C,oBAAoB;IACpB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,WAAW,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACxB,CAAC;IAED,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,aAAa,GAAG,KAAK,CAAC;QAE1B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAoB,CAAC;YACzC,IAAI,kBAAkB,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,CAAC;gBACtC,UAAU,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,EAAE,CAAC,CAAC;gBACjD,WAAW,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAClD,aAAa,GAAG,IAAI,CAAC;gBACrB,wEAAwE;gBACxE,OAAO,CAAC,KAAK,CACX,2CAA2C,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,IAAI,GAAG,aAAa,IAAI,CAAC,MAAM,GAAG,CAC1G,CAAC;gBACF,MAAM,CAAC,2BAA2B;YACpC,CAAC;QACH,CAAC;QAED,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,EAAE,CAAC;AAC/C,CAAC;AAED,gFAAgF;AAChF,sBAAsB;AACtB,gFAAgF;AAEhF,MAAM,qBAAqB,GAAG,EAAE,CAAC;AACjC,MAAM,sBAAsB,GAAG,GAAG,CAAC;AAEnC;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAAwB,EACxB,WAAgC;IAEhC,MAAM,UAAU,GAAuB,EAAE,CAAC;IAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAoB,CAAC;QACzC,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,KAAK,KAAK,CAAC;YAAE,SAAS;QAE1B,MAAM,WAAW,GAAG,IAAI,CAAC,gBAAgB,KAAK,IAAI,CAAC;QACnD,MAAM,KAAK,GAAG,WAAW,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,qBAAqB,CAAC;QAE3E,IAAI,KAAK,GAAG,KAAK,EAAE,CAAC;YAClB,UAAU,CAAC,IAAI,CAAC;gBACd,SAAS,EAAE,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,UAAU,EAAE,KAAK;gBACjB,KAAK;gBACL,WAAW;aACZ,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CACzC,KAAwB,EACxB,iBAA2C,EAC3C,yBAAmC;IAEnC,MAAM,UAAU,GAAuB,EAAE,CAAC;IAE1C,0CAA0C;IAC1C,MAAM,gBAAgB,GAAG,IAAI,GAAG,EAAoC,CAAC;IACrE,KAAK,MAAM,MAAM,IAAI,iBAAiB,EAAE,CAAC;QACvC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC;QAC9D,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACtB,gBAAgB,CAAC,GAAG,CAAC,MAAM,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAoB,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,gBAAgB;YAAE,SAAS;QAErC,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;QACvD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,CAAC;QAEtF,IAAI,gBAAgB,IAAI,CAAC,yBAAyB,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACzE,UAAU,CAAC,IAAI,CAAC;gBACd,SAAS,EAAE,CAAC;gBACZ,MAAM,EAAE,IAAI,CAAC,MAAM;gBACnB,UAAU,EAAE,gBAAgB,CAAC,MAAM;gBACnC,KAAK,EAAE,qBAAqB;gBAC5B,WAAW,EAAE,IAAI;aAClB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAwB,EACxB,MAA6B,EAC7B,IAAqB,EACrB,yBAAmC;IAEnC,MAAM,iBAAiB,GAAG,kBAAkB,CAAC,KAAK,EAAE,MAAM,CAAC,WAAW,CAAC,CAAC;IACxE,MAAM,uBAAuB,GAAG,2BAA2B,CACzD,KAAK,EACL,MAAM,CAAC,UAAU,EACjB,yBAAyB,CAC1B,CAAC;IAEF,MAAM,aAAa,GAAG,CAAC,GAAG,iBAAiB,EAAE,GAAG,uBAAuB,CAAC,CAAC;IAEzE,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,uCAAuC;QACvC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAoB,CAAC;YACzC,MAAM,KAAK,GAAG,MAAM,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAC7C,IAAI,IAAI,CAAC,gBAAgB,IAAI,KAAK,GAAG,qBAAqB,EAAE,CAAC;gBAC3D,OAAO,CAAC,KAAK,CACX,4DAA4D,IAAI,CAAC,MAAM,iBAAiB,IAAI,CAAC,WAAW,IAAI,SAAS,cAAc,KAAK,WAAW,CACpJ,CAAC;YACJ,CAAC;QACH,CAAC;QACD,OAAO;IACT,CAAC;IAED,IAAI,IAAI,KAAK,OAAO,EAAE,CAAC;QACrB,KAAK,MAAM,CAAC,IAAI,aAAa,EAAE,CAAC;YAC9B,OAAO,CAAC,IAAI,CACV,0DAA0D,CAAC,CAAC,MAAM,aAAa,CAAC,CAAC,UAAU,qBAAqB,CAAC,CAAC,KAAK,GAAG,CAC3H,CAAC;QACJ,CAAC;QACD,OAAO;IACT,CAAC;IAED,0EAA0E;IAC1E,gFAAgF;IAChF,IAAI,uBAAuB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACvC,MAAM,CAAC,GAAG,uBAAuB,CAAC,CAAC,CAAqB,CAAC;QACzD,MAAM,IAAI,WAAW,CACnB,6BAA6B,CAAC,CAAC,MAAM,6FAA6F,EAClI,eAAe,CAAC,aAAa,EAC7B,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAChC,CAAC;IACJ,CAAC;IAED,MAAM,cAAc,GAAG,aAAa,CAAC,CAAC,CAAqB,CAAC;IAC5D,IAAI,cAAc,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,IAAI,WAAW,CACnB,qBAAqB,cAAc,CAAC,MAAM,aAAa,cAAc,CAAC,UAAU,qBAAqB,cAAc,CAAC,KAAK,6BAA6B,EACtJ,eAAe,CAAC,aAAa,EAC7B,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAChC,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,WAAW,CACnB,qBAAqB,cAAc,CAAC,MAAM,aAAa,cAAc,CAAC,UAAU,qBAAqB,cAAc,CAAC,KAAK,4EAA4E,EACrM,eAAe,CAAC,aAAa,EAC7B,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAChC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CACrC,KAAwB,EACxB,WAAgC;IAEhC,MAAM,OAAO,GAA0C,EAAE,CAAC;IAC1D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAoB,CAAC;QACzC,MAAM,KAAK,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACd,OAAO,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,gFAAgF;AAChF,gDAAgD;AAChD,gFAAgF;AAEhF;;;;;;;;;;GAUG;AACH,MAAM,UAAU,0BAA0B,CAAC,QAAgB,EAAE,OAAe;IAC1E,MAAM,iBAAiB,GAAiB;QACtC,KAAK,EAAE,EAAE;QACT,gBAAgB,EAAE,EAAE;QACpB,2BAA2B,EAAE,EAAE;KAChC,CAAC;IAEF,2DAA2D;IAC3D,MAAM,SAAS,GAAG,iBAAiB,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IACnD,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACrB,OAAO,CAAC,IAAI,CACV,+EAA+E,OAAO,EAAE,CACzF,CAAC;QACF,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,YAAY,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,GAAG,SAAS,CAAC,KAAK,iBAAiB,CAAC,EAAE;YACvF,GAAG,EAAE,QAAQ;YACb,QAAQ,EAAE,OAAO;YACjB,KAAK,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC;YAC/B,OAAO,EAAE,KAAK;SACf,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,SAAS,CAAC,aAAa,CAA4B,CAAC;QACnE,IAAI,CAAC,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,CAAC,cAAc,IAAI,MAAM,CAAC,EAAE,CAAC;YACzE,OAAO,CAAC,KAAK,CAAC,4EAA4E,CAAC,CAAC;YAC5F,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,MAAM,MAAM,GAAG,kBAAkB,CAAC,SAAS,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,CAAC;QACpE,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CACV,2EAA2E,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,CAClG,CAAC;YACF,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,OAAO,CAAC,KAAK,CACX,sCAAsC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,0CAA0C,OAAO,GAAG,CACnH,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,CAAC;IACrB,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,qEAAqE;QACrE,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,IAAI,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACrE,OAAO,CAAC,KAAK,CACX,uFAAuF,CACxF,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,IAAI,CAAC,kEAAkE,OAAO,EAAE,CAAC,CAAC;QAC5F,CAAC;QACD,OAAO,iBAAiB,CAAC;IAC3B,CAAC;AACH,CAAC"}

package/dist/security-logger.d.ts

@@ -10,7 +10,7 @@
  * - Consistent structured format across all events
  *
  * @see FR-021, FR-022, FR-023, FR-024
- * @see specs/006-quality-enforcement/contracts/security-event.ts
+ * @see specs/archive/006-quality-enforcement/contracts/security-event.ts
  */
 import { z } from 'zod';
 /**

package/dist/security-logger.js

@@ -10,7 +10,7 @@
  * - Consistent structured format across all events
  *
  * @see FR-021, FR-022, FR-023, FR-024
- * @see specs/006-quality-enforcement/contracts/security-event.ts
+ * @see specs/archive/006-quality-enforcement/contracts/security-event.ts
  */
 import { createHash } from 'crypto';
 import { z } from 'zod';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@oddessentials/odd-ai-reviewers",
-  "version": "1.10.1",
+  "version": "1.12.0",
   "description": "AI-powered code review CLI - run locally or in CI/CD pipelines",
   "type": "module",
   "main": "dist/main.js",
@@ -32,19 +32,19 @@
   "homepage": "https://github.com/oddessentials/odd-ai-reviewers#readme",
   "dependencies": {
     "@actions/cache": "5.0.5",
-    "@anthropic-ai/sdk": "0.71.2",
+    "@anthropic-ai/sdk": "0.78.0",
     "@octokit/rest": "^22.0.1",
     "commander": "^14.0.3",
     "minimatch": "^10.2.4",
-    "openai": "^6.27.0",
+    "openai": "^6.29.0",
     "typescript": "5.9.3",
     "yaml": "^2.8.2",
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@types/node": "25.4.0",
-    "@vitest/coverage-v8": "4.0.18",
-    "vitest": "^4.0.18"
+    "@types/node": "25.5.0",
+    "@vitest/coverage-v8": "4.1.0",
+    "vitest": "^4.1.0"
   },
   "engines": {
     "node": ">=22.0.0"
@@ -58,6 +58,7 @@
     "test:coverage": "vitest run --coverage",
     "test:ci": "vitest run --reporter=json --outputFile=test-results.json",
     "test:ci:coverage": "vitest run --coverage --reporter=json --reporter=dot --outputFile=test-results.json",
+    "test:ci-thresholds": "CI=true vitest run --coverage",
     "typecheck": "tsc --noEmit"
   }
 }

package/dist/__tests__/hermetic-setup.d.ts

@@ -1,55 +0,0 @@
-/**
- * Hermetic Test Setup Utilities
- *
- * Shared test infrastructure for deterministic, isolated tests.
- * Located in __tests__/ directory which is classified as test code
- * by dependency-cruiser, allowing legitimate vitest imports.
- *
- * Provides:
- * - Frozen time (no wall-clock dependencies)
- * - Deterministic teardown
- *
- * @example
- * ```typescript
- * import { describe, it, beforeEach, afterEach } from 'vitest';
- * import {
- *   FROZEN_TIMESTAMP,
- *   setupHermeticTest,
- *   teardownHermeticTest,
- * } from '../hermetic-setup.js';
- *
- * describe('MyFeature', () => {
- *   beforeEach(() => setupHermeticTest());
- *   afterEach(() => teardownHermeticTest());
- *
- *   it('works with frozen time', () => {
- *     expect(new Date().toISOString()).toBe(FROZEN_TIMESTAMP);
- *   });
- * });
- * ```
- */
-/**
- * Frozen test timestamp - use consistently across all hermetic tests
- */
-export declare const FROZEN_TIMESTAMP = "2026-01-29T00:00:00.000Z";
-export declare const FROZEN_DATE: Date;
-/**
- * Setup hermetic test environment
- *
- * Configures:
- * - Frozen system time to FROZEN_TIMESTAMP
- *
- * Call this in beforeEach()
- */
-export declare function setupHermeticTest(): void;
-/**
- * Teardown hermetic test environment
- *
- * Restores:
- * - Real system time
- * - All mocks
- *
- * Call this in afterEach()
- */
-export declare function teardownHermeticTest(): void;
-//# sourceMappingURL=hermetic-setup.d.ts.map

package/dist/__tests__/hermetic-setup.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"hermetic-setup.d.ts","sourceRoot":"","sources":["../../src/__tests__/hermetic-setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAIH;;GAEG;AACH,eAAO,MAAM,gBAAgB,6BAA6B,CAAC;AAC3D,eAAO,MAAM,WAAW,MAA6B,CAAC;AAEtD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,IAAI,IAAI,CAGxC;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,IAAI,IAAI,CAG3C"}

package/dist/__tests__/hermetic-setup.js

@@ -1,62 +0,0 @@
-/**
- * Hermetic Test Setup Utilities
- *
- * Shared test infrastructure for deterministic, isolated tests.
- * Located in __tests__/ directory which is classified as test code
- * by dependency-cruiser, allowing legitimate vitest imports.
- *
- * Provides:
- * - Frozen time (no wall-clock dependencies)
- * - Deterministic teardown
- *
- * @example
- * ```typescript
- * import { describe, it, beforeEach, afterEach } from 'vitest';
- * import {
- *   FROZEN_TIMESTAMP,
- *   setupHermeticTest,
- *   teardownHermeticTest,
- * } from '../hermetic-setup.js';
- *
- * describe('MyFeature', () => {
- *   beforeEach(() => setupHermeticTest());
- *   afterEach(() => teardownHermeticTest());
- *
- *   it('works with frozen time', () => {
- *     expect(new Date().toISOString()).toBe(FROZEN_TIMESTAMP);
- *   });
- * });
- * ```
- */
-import { vi } from 'vitest';
-/**
- * Frozen test timestamp - use consistently across all hermetic tests
- */
-export const FROZEN_TIMESTAMP = '2026-01-29T00:00:00.000Z';
-export const FROZEN_DATE = new Date(FROZEN_TIMESTAMP);
-/**
- * Setup hermetic test environment
- *
- * Configures:
- * - Frozen system time to FROZEN_TIMESTAMP
- *
- * Call this in beforeEach()
- */
-export function setupHermeticTest() {
-    vi.useFakeTimers();
-    vi.setSystemTime(FROZEN_DATE);
-}
-/**
- * Teardown hermetic test environment
- *
- * Restores:
- * - Real system time
- * - All mocks
- *
- * Call this in afterEach()
- */
-export function teardownHermeticTest() {
-    vi.useRealTimers();
-    vi.restoreAllMocks();
-}
-//# sourceMappingURL=hermetic-setup.js.map

package/dist/__tests__/hermetic-setup.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"hermetic-setup.js","sourceRoot":"","sources":["../../src/__tests__/hermetic-setup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AAE5B;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,0BAA0B,CAAC;AAC3D,MAAM,CAAC,MAAM,WAAW,GAAG,IAAI,IAAI,CAAC,gBAAgB,CAAC,CAAC;AAEtD;;;;;;;GAOG;AACH,MAAM,UAAU,iBAAiB;IAC/B,EAAE,CAAC,aAAa,EAAE,CAAC;IACnB,EAAE,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;AAChC,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,oBAAoB;IAClC,EAAE,CAAC,aAAa,EAAE,CAAC;IACnB,EAAE,CAAC,eAAe,EAAE,CAAC;AACvB,CAAC"}