npm - @paniolo/scan - Versions diffs - 0.2.3 → 0.2.4 - Mend

@paniolo/scan 0.2.3 → 0.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/standards/rule-evidence.json +419 -0
package/package.json +1 -1

package/dist/standards/rule-evidence.json ADDED Viewed

@@ -0,0 +1,419 @@
+{
+	"schema_version": 1,
+	"rules": {
+		"actions-sha-pinned": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": [
+				"docs/rules-catalog.md",
+				"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions"
+			],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"adapter-content-duplication": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/meta-harness.md", "docs/harness-analysis.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["weak", "normal", "mature"]
+		},
+		"adapter-context-budget": {
+			"source_type": "research-motivated-threshold",
+			"evidence_level": "E3",
+			"source_urls": ["docs/ai/scoring-calibration.md", "https://arxiv.org/abs/2602.20478"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["weak", "normal", "mature"]
+		},
+		"adapter-points-to-shared": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/meta-harness.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["normal", "mature"]
+		},
+		"adapter-thin-claude": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/scoring-calibration.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["weak", "normal", "mature"]
+		},
+		"adapter-thin-copilot": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/scoring-calibration.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"adapter-thin-gemini": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/scoring-calibration.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["mature"]
+		},
+		"agent-frontmatter": {
+			"source_type": "agent-skills-spec",
+			"evidence_level": "E4",
+			"source_urls": ["docs/rules-catalog.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["mature"]
+		},
+		"agent-resource-budget-caps": {
+			"source_type": "research-motivated-security-posture",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.20953"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"agents-md-mentions-skills": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/available-skills.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["normal", "mature"]
+		},
+		"always-loaded-budget": {
+			"source_type": "research-motivated-threshold",
+			"evidence_level": "E3",
+			"source_urls": ["docs/ai/scoring-calibration.md", "https://arxiv.org/abs/2602.20478"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["weak", "normal", "mature"]
+		},
+		"ci-enforcement-gates": {
+			"source_type": "intelligence-layer-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"ci-guidance-lint": {
+			"source_type": "corpus-calibrated-maturity-signal",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/scoring-calibration.md", "docs/rules-catalog.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"ci-validation-gates": {
+			"source_type": "intelligence-layer-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/scoring-calibration.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"claude-agent-routing": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/architecture.md", "docs/ai/ai-system.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["mature"]
+		},
+		"claude-hooks-valid": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": ["docs/rules-catalog.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"codex-hooks-valid": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": ["docs/rules-catalog.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"correction-loop-documented": {
+			"source_type": "corpus-calibrated-maturity-signal",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/scoring-calibration.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"emphasis-keyword-density": {
+			"source_type": "instruction-quality-heuristic",
+			"evidence_level": "E5",
+			"source_urls": ["docs/rules-catalog.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"env-files-gitignored": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": [
+				"docs/rules-catalog.md",
+				"https://owasp.org/www-project-top-10-for-large-language-model-applications/"
+			],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"escalation-protocol-discoverability": {
+			"source_type": "research-motivated-security-posture",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2604.09408"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"focused-test-commands-present": {
+			"source_type": "intelligence-layer-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"forbidden-legacy-paths": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/ai-system.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"guidance-links-resolve": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/rules.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["normal", "mature"]
+		},
+		"guidance-maintenance-script": {
+			"source_type": "corpus-calibrated-maturity-signal",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/scoring-calibration.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"high-impact-action-confirmation": {
+			"source_type": "research-motivated-security-posture",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.11088"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"hook-no-network-exfil": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.11088"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"hook-stop-circuit-breaker": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": ["docs/rules-catalog.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"identity-language-absent": {
+			"source_type": "instruction-quality-heuristic",
+			"evidence_level": "E5",
+			"source_urls": ["docs/rules-catalog.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"jsdoc-enforcement-present": {
+			"source_type": "corpus-calibrated-maturity-signal",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/scoring-calibration.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"lint-gate-present": {
+			"source_type": "intelligence-layer-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"llm-output-schema-validated": {
+			"source_type": "research-motivated-boundary-rule",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.06847"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"local-context-patterns": {
+			"source_type": "intelligence-layer-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"memory-docs-indexed": {
+			"source_type": "intelligence-layer-methodology",
+			"evidence_level": "E4",
+			"source_urls": [
+				"docs/full-spectrum-intelligence-layer.md",
+				"https://arxiv.org/abs/2602.20478"
+			],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"memory-write-provenance": {
+			"source_type": "research-motivated-security-posture",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.11088"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"model-interface-pinned": {
+			"source_type": "research-motivated-boundary-rule",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.06847"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"no-dangerous-auto-approve": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.11088"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"no-duplicate-agent-trees": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/ai-system.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"no-duplicate-skill-trees": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/ai-system.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"no-pull-request-target": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": [
+				"docs/rules-catalog.md",
+				"https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions"
+			],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"pr-template-ai-harness-check": {
+			"source_type": "corpus-calibrated-maturity-signal",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/scoring-calibration.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"qmd-script-present": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/qmd.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"secret-scanning-configured": {
+			"source_type": "security-practice",
+			"evidence_level": "E4",
+			"source_urls": [
+				"docs/rules-catalog.md",
+				"https://owasp.org/www-project-top-10-for-large-language-model-applications/"
+			],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"shared-agents-md": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/meta-harness.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["weak", "normal", "mature"]
+		},
+		"shared-rules-doc": {
+			"source_type": "corpus-calibrated-maturity-signal",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/scoring-calibration.md", "docs/meta-harness.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["weak", "normal", "mature"]
+		},
+		"skill-doc-deep-links": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/rules.md", "docs/ai/doc-best-practices.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"skill-frontmatter": {
+			"source_type": "agent-skills-spec",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/rules.md", "docs/ai/skill-best-practices.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["normal", "mature"]
+		},
+		"skill-line-count": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/scoring-calibration.md", "docs/ai/skill-best-practices.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["normal", "mature"]
+		},
+		"skills-index": {
+			"source_type": "meta-harness-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/ai/available-skills.md", "docs/architecture.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": ["normal", "mature"]
+		},
+		"strict-typecheck-present": {
+			"source_type": "intelligence-layer-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"test-gates-present": {
+			"source_type": "intelligence-layer-methodology",
+			"evidence_level": "E4",
+			"source_urls": ["docs/full-spectrum-intelligence-layer.md", "docs/ai/rules.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"tool-allowlist-inventory": {
+			"source_type": "research-motivated-security-posture",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.11088"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"tool-contract-tests-present": {
+			"source_type": "research-motivated-boundary-rule",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.06847"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"untrusted-input-action-boundary": {
+			"source_type": "research-motivated-security-posture",
+			"evidence_level": "E2",
+			"source_urls": ["docs/rules-catalog.md", "https://arxiv.org/abs/2603.11088"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"vscode-agents-location": {
+			"source_type": "harness-wiring-practice",
+			"evidence_level": "E4",
+			"source_urls": ["docs/architecture.md", "docs/ai/ai-system.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"vscode-custom-hooks": {
+			"source_type": "harness-wiring-practice",
+			"evidence_level": "E4",
+			"source_urls": ["docs/architecture.md", "docs/ai/ai-system.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		},
+		"vscode-skills-location": {
+			"source_type": "harness-wiring-practice",
+			"evidence_level": "E4",
+			"source_urls": ["docs/architecture.md", "docs/ai/ai-system.md"],
+			"verified_on": "2026-06-13",
+			"fixture_ids": []
+		}
+	}
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@paniolo/scan",
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "The AI Technical Debt Scanner — diagnostic-only CLI that scores your repo's AI harness across Copilot, Cursor, Codex, Antigravity, Claude Code, and Gemini. No writes, no telemetry.",
   "keywords": [
     "agents",