@rigour-labs/core 2.18.0 → 2.18.1

package/dist/gates/checkpoint.test.js

@@ -0,0 +1,102 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { CheckpointGate, recordCheckpoint, getCheckpointSession, clearCheckpointSession, getOrCreateCheckpointSession, completeCheckpointSession, abortCheckpointSession } from './checkpoint.js';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+describe('CheckpointGate', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'checkpoint-test-'));
+    });
+    afterEach(() => {
+        clearCheckpointSession(testDir);
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    describe('gate initialization', () => {
+        it('should create gate with default config', () => {
+            const gate = new CheckpointGate();
+            expect(gate.id).toBe('checkpoint');
+            expect(gate.title).toBe('Checkpoint Supervision');
+        });
+        it('should skip when not enabled', async () => {
+            const gate = new CheckpointGate({ enabled: false });
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures).toEqual([]);
+        });
+    });
+    describe('session management', () => {
+        it('should create a new session', () => {
+            const session = getOrCreateCheckpointSession(testDir);
+            expect(session.sessionId).toMatch(/^chk-session-/);
+            expect(session.status).toBe('active');
+            expect(session.checkpoints).toHaveLength(0);
+        });
+        it('should record a checkpoint', () => {
+            const result = recordCheckpoint(testDir, 25, // progressPct
+            ['src/api/users.ts'], 'Implemented user API', 85 // qualityScore
+            );
+            expect(result.continue).toBe(true);
+            expect(result.checkpoint.progressPct).toBe(25);
+            expect(result.checkpoint.qualityScore).toBe(85);
+        });
+        it('should persist session to disk', () => {
+            recordCheckpoint(testDir, 50, [], 'Test', 90);
+            const sessionPath = path.join(testDir, '.rigour', 'checkpoint-session.json');
+            expect(fs.existsSync(sessionPath)).toBe(true);
+        });
+        it('should complete session', () => {
+            getOrCreateCheckpointSession(testDir);
+            completeCheckpointSession(testDir);
+            const session = getCheckpointSession(testDir);
+            expect(session?.status).toBe('completed');
+        });
+        it('should abort session with reason', () => {
+            getOrCreateCheckpointSession(testDir);
+            abortCheckpointSession(testDir, 'Quality too low');
+            const session = getCheckpointSession(testDir);
+            expect(session?.status).toBe('aborted');
+            expect(session?.checkpoints[0].summary).toContain('Quality too low');
+        });
+    });
+    describe('quality threshold', () => {
+        it('should continue when quality above threshold', () => {
+            const result = recordCheckpoint(testDir, 50, [], 'Good work', 85);
+            expect(result.continue).toBe(true);
+            expect(result.warnings).toHaveLength(0);
+        });
+        it('should stop when quality below threshold', () => {
+            const result = recordCheckpoint(testDir, 50, [], 'Poor work', 70);
+            expect(result.continue).toBe(false);
+            expect(result.warnings).toContain('Quality score 70% is below threshold 80%');
+        });
+    });
+    describe('drift detection', () => {
+        it('should detect quality degradation', () => {
+            // Record several checkpoints with declining quality
+            recordCheckpoint(testDir, 20, [], 'Start', 95);
+            recordCheckpoint(testDir, 40, [], 'Middle', 90);
+            const result = recordCheckpoint(testDir, 60, [], 'Decline', 75);
+            expect(result.warnings.some(w => w.includes('Drift detected'))).toBe(true);
+        });
+        it('should not flag stable quality', () => {
+            recordCheckpoint(testDir, 20, [], 'Start', 85);
+            recordCheckpoint(testDir, 40, [], 'Middle', 85);
+            const result = recordCheckpoint(testDir, 60, [], 'Stable', 85);
+            expect(result.warnings.filter(w => w.includes('Drift'))).toHaveLength(0);
+        });
+    });
+    describe('gate run', () => {
+        it('should pass with healthy checkpoints', async () => {
+            const gate = new CheckpointGate({ enabled: true, quality_threshold: 80 });
+            recordCheckpoint(testDir, 50, [], 'Good work', 90);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures).toHaveLength(0);
+        });
+        it('should fail when quality below threshold', async () => {
+            const gate = new CheckpointGate({ enabled: true, quality_threshold: 80 });
+            recordCheckpoint(testDir, 50, [], 'Poor work', 70);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures.some(f => f.title === 'Quality Below Threshold')).toBe(true);
+        });
+    });
+});

package/dist/gates/context.d.ts

@@ -1,8 +1,43 @@
 import { Gate, GateContext } from './base.js';
 import { Failure, Gates } from '../types/index.js';
+/**
+ * Extended Context Configuration (v2.14+)
+ * For 1M token frontier models like Opus 4.6
+ */
+export interface ExtendedContextConfig {
+    enabled?: boolean;
+    sensitivity?: number;
+    mining_depth?: number;
+    cross_file_patterns?: boolean;
+    naming_consistency?: boolean;
+    import_relationships?: boolean;
+    max_cross_file_depth?: number;
+}
 export declare class ContextGate extends Gate {
     private config;
+    private extendedConfig;
     constructor(config: Gates);
     run(context: GateContext): Promise<Failure[]>;
     private checkEnvDrift;
+    /**
+     * Collect naming patterns (function names, class names, variable names)
+     */
+    private collectNamingPatterns;
+    /**
+     * Collect import patterns
+     */
+    private collectImportPatterns;
+    /**
+     * Analyze naming consistency across files
+     */
+    private analyzeNamingConsistency;
+    /**
+     * Analyze import patterns for consistency
+     */
+    private analyzeImportPatterns;
+    /**
+     * Detect casing convention of an identifier
+     */
+    private detectCasing;
+    private addPattern;
 }

package/dist/gates/context.js

@@ -4,25 +4,51 @@ import fs from 'fs-extra';
 import path from 'path';
 export class ContextGate extends Gate {
     config;
+    extendedConfig;
     constructor(config) {
         super('context-drift', 'Context Awareness & Drift Detection');
         this.config = config;
+        this.extendedConfig = {
+            enabled: config.context?.enabled ?? false,
+            sensitivity: config.context?.sensitivity ?? 0.8,
+            mining_depth: config.context?.mining_depth ?? 100,
+            cross_file_patterns: true, // Default ON for frontier model support
+            naming_consistency: true,
+            import_relationships: true,
+            max_cross_file_depth: 50,
+        };
     }
     async run(context) {
         const failures = [];
         const record = context.record;
-        if (!record || !this.config.context?.enabled)
+        if (!record || !this.extendedConfig.enabled)
             return [];
         const files = await FileScanner.findFiles({ cwd: context.cwd });
         const envAnchors = record.anchors.filter(a => a.type === 'env' && a.confidence >= 1);
+        // Collect all patterns across files for cross-file analysis
+        const namingPatterns = new Map();
+        const importPatterns = new Map();
         for (const file of files) {
             try {
                 const content = await fs.readFile(path.join(context.cwd, file), 'utf-8');
-                // 1. Detect Redundant Suffixes (The Golden Example)
+                // 1. Original: Detect Redundant Suffixes (The Golden Example)
                 this.checkEnvDrift(content, file, envAnchors, failures);
+                // 2. NEW: Cross-file pattern collection
+                if (this.extendedConfig.cross_file_patterns) {
+                    this.collectNamingPatterns(content, file, namingPatterns);
+                    this.collectImportPatterns(content, file, importPatterns);
+                }
             }
             catch (e) { }
         }
+        // 3. NEW: Analyze naming consistency across files
+        if (this.extendedConfig.naming_consistency) {
+            this.analyzeNamingConsistency(namingPatterns, failures);
+        }
+        // 4. NEW: Analyze import relationship patterns
+        if (this.extendedConfig.import_relationships) {
+            this.analyzeImportPatterns(importPatterns, failures);
+        }
         return failures;
     }
     checkEnvDrift(content, file, anchors, failures) {
@@ -40,4 +66,127 @@ export class ContextGate extends Gate {
             }
         }
     }
+    /**
+     * Collect naming patterns (function names, class names, variable names)
+     */
+    collectNamingPatterns(content, file, patterns) {
+        // Function declarations
+        const funcMatches = content.matchAll(/(?:function|const|let|var)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)\s*[=(]/g);
+        for (const match of funcMatches) {
+            const name = match[1];
+            const casing = this.detectCasing(name);
+            this.addPattern(patterns, 'function', { casing, file, count: 1 });
+        }
+        // Class declarations
+        const classMatches = content.matchAll(/class\s+([A-Za-z_$][A-Za-z0-9_$]*)/g);
+        for (const match of classMatches) {
+            const casing = this.detectCasing(match[1]);
+            this.addPattern(patterns, 'class', { casing, file, count: 1 });
+        }
+        // Interface declarations (TypeScript)
+        const interfaceMatches = content.matchAll(/interface\s+([A-Za-z_$][A-Za-z0-9_$]*)/g);
+        for (const match of interfaceMatches) {
+            const casing = this.detectCasing(match[1]);
+            this.addPattern(patterns, 'interface', { casing, file, count: 1 });
+        }
+    }
+    /**
+     * Collect import patterns
+     */
+    collectImportPatterns(content, file, patterns) {
+        // ES6 imports
+        const importMatches = content.matchAll(/import\s+(?:{[^}]+}|\*\s+as\s+\w+|\w+)\s+from\s+['"]([^'"]+)['"]/g);
+        for (const match of importMatches) {
+            const importPath = match[1];
+            if (!patterns.has(file)) {
+                patterns.set(file, []);
+            }
+            patterns.get(file).push(importPath);
+        }
+    }
+    /**
+     * Analyze naming consistency across files
+     */
+    analyzeNamingConsistency(patterns, failures) {
+        for (const [type, entries] of patterns) {
+            const casingCounts = new Map();
+            for (const entry of entries) {
+                casingCounts.set(entry.casing, (casingCounts.get(entry.casing) || 0) + entry.count);
+            }
+            // Find dominant casing
+            let dominant = '';
+            let maxCount = 0;
+            for (const [casing, count] of casingCounts) {
+                if (count > maxCount) {
+                    dominant = casing;
+                    maxCount = count;
+                }
+            }
+            // Report violations (non-dominant casing with significant usage)
+            const total = entries.reduce((sum, e) => sum + e.count, 0);
+            const threshold = total * (1 - (this.extendedConfig.sensitivity ?? 0.8));
+            for (const [casing, count] of casingCounts) {
+                if (casing !== dominant && count > threshold) {
+                    const violatingFiles = entries.filter(e => e.casing === casing).map(e => e.file);
+                    const uniqueFiles = [...new Set(violatingFiles)].slice(0, 5);
+                    failures.push(this.createFailure(`Cross-file naming inconsistency: ${type} names use ${casing} in ${count} places (dominant is ${dominant})`, uniqueFiles, `Standardize ${type} naming to ${dominant}. Found ${casing} in: ${uniqueFiles.join(', ')}`, 'Naming Convention Drift'));
+                }
+            }
+        }
+    }
+    /**
+     * Analyze import patterns for consistency
+     */
+    analyzeImportPatterns(patterns, failures) {
+        // Check for mixed import styles (relative vs absolute)
+        const relativeCount = new Map();
+        const absoluteCount = new Map();
+        for (const [file, imports] of patterns) {
+            for (const imp of imports) {
+                if (imp.startsWith('.') || imp.startsWith('..')) {
+                    relativeCount.set(file, (relativeCount.get(file) || 0) + 1);
+                }
+                else if (!imp.startsWith('@') && !imp.includes('/')) {
+                    // Skip external packages
+                }
+                else {
+                    absoluteCount.set(file, (absoluteCount.get(file) || 0) + 1);
+                }
+            }
+        }
+        // Detect files with both relative AND absolute local imports
+        const mixedFiles = [];
+        for (const file of patterns.keys()) {
+            const hasRelative = (relativeCount.get(file) || 0) > 0;
+            const hasAbsolute = (absoluteCount.get(file) || 0) > 0;
+            if (hasRelative && hasAbsolute) {
+                mixedFiles.push(file);
+            }
+        }
+        if (mixedFiles.length > 3) {
+            failures.push(this.createFailure(`Cross-file import inconsistency: ${mixedFiles.length} files mix relative and absolute imports`, mixedFiles.slice(0, 5), 'Standardize import style across the codebase. Use either relative (./foo) or path aliases (@/foo) consistently.', 'Import Pattern Drift'));
+        }
+    }
+    /**
+     * Detect casing convention of an identifier
+     */
+    detectCasing(name) {
+        if (/^[A-Z][a-z]/.test(name) && /[a-z][A-Z]/.test(name))
+            return 'PascalCase';
+        if (/^[a-z]/.test(name) && /[a-z][A-Z]/.test(name))
+            return 'camelCase';
+        if (/^[a-z]+(_[a-z]+)+$/.test(name))
+            return 'snake_case';
+        if (/^[A-Z]+(_[A-Z]+)*$/.test(name))
+            return 'SCREAMING_SNAKE';
+        if (/^[A-Z][a-zA-Z]*$/.test(name))
+            return 'PascalCase';
+        return 'unknown';
+    }
+    addPattern(patterns, type, entry) {
+        if (!patterns.has(type)) {
+            patterns.set(type, []);
+        }
+        patterns.get(type).push(entry);
+    }
 }

package/dist/gates/runner.js

@@ -9,6 +9,9 @@ import { ContextGate } from './context.js';
 import { ContextEngine } from '../services/context-engine.js';
 import { EnvironmentGate } from './environment.js';
 import { RetryLoopBreakerGate } from './retry-loop-breaker.js';
+import { AgentTeamGate } from './agent-team.js';
+import { CheckpointGate } from './checkpoint.js';
+import { SecurityPatternsGate } from './security-patterns.js';
 import { execa } from 'execa';
 import { Logger } from '../utils/logger.js';
 export class GateRunner {
@@ -40,6 +43,18 @@ export class GateRunner {
         if (this.config.gates.context?.enabled) {
             this.gates.push(new ContextGate(this.config.gates));
         }
+        // Agent Team Governance Gate (for Opus 4.6 / GPT-5.3 multi-agent workflows)
+        if (this.config.gates.agent_team?.enabled) {
+            this.gates.push(new AgentTeamGate(this.config.gates.agent_team));
+        }
+        // Checkpoint Supervision Gate (for long-running GPT-5.3 coworking mode)
+        if (this.config.gates.checkpoint?.enabled) {
+            this.gates.push(new CheckpointGate(this.config.gates.checkpoint));
+        }
+        // Security Patterns Gate (code-level vulnerability detection)
+        if (this.config.gates.security?.enabled) {
+            this.gates.push(new SecurityPatternsGate(this.config.gates.security));
+        }
         // Environment Alignment Gate (Should be prioritized)
         if (this.config.gates.environment?.enabled) {
             this.gates.unshift(new EnvironmentGate(this.config.gates));

package/dist/gates/security-patterns.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Security Patterns Gate
+ *
+ * Detects code-level security vulnerabilities for frontier models
+ * that may generate insecure patterns at scale.
+ *
+ * Patterns covered:
+ * - SQL Injection
+ * - XSS (Cross-Site Scripting)
+ * - Path Traversal
+ * - Hardcoded Secrets
+ * - Insecure Randomness
+ * - Command Injection
+ *
+ * @since v2.14.0
+ */
+import { Gate, GateContext } from './base.js';
+import { Failure } from '../types/index.js';
+export interface SecurityVulnerability {
+    type: string;
+    severity: 'critical' | 'high' | 'medium' | 'low';
+    file: string;
+    line: number;
+    match: string;
+    description: string;
+    cwe?: string;
+}
+export interface SecurityPatternsConfig {
+    enabled?: boolean;
+    sql_injection?: boolean;
+    xss?: boolean;
+    path_traversal?: boolean;
+    hardcoded_secrets?: boolean;
+    insecure_randomness?: boolean;
+    command_injection?: boolean;
+    block_on_severity?: 'critical' | 'high' | 'medium' | 'low';
+}
+export declare class SecurityPatternsGate extends Gate {
+    private config;
+    private severityOrder;
+    constructor(config?: SecurityPatternsConfig);
+    run(context: GateContext): Promise<Failure[]>;
+    private scanFileForVulnerabilities;
+}
+/**
+ * Quick helper to check a single file for security issues
+ */
+export declare function checkSecurityPatterns(filePath: string, config?: SecurityPatternsConfig): Promise<SecurityVulnerability[]>;

package/dist/gates/security-patterns.js

@@ -0,0 +1,236 @@
+/**
+ * Security Patterns Gate
+ *
+ * Detects code-level security vulnerabilities for frontier models
+ * that may generate insecure patterns at scale.
+ *
+ * Patterns covered:
+ * - SQL Injection
+ * - XSS (Cross-Site Scripting)
+ * - Path Traversal
+ * - Hardcoded Secrets
+ * - Insecure Randomness
+ * - Command Injection
+ *
+ * @since v2.14.0
+ */
+import { Gate } from './base.js';
+import { FileScanner } from '../utils/scanner.js';
+import { Logger } from '../utils/logger.js';
+import fs from 'fs-extra';
+import path from 'path';
+// Pattern definitions with regex and metadata
+const VULNERABILITY_PATTERNS = [
+    // SQL Injection
+    {
+        type: 'sql_injection',
+        regex: /(?:execute|query|raw|exec)\s*\(\s*[`'"].*\$\{.+\}|`\s*\+\s*\w+|\$\{.+\}.*(?:SELECT|INSERT|UPDATE|DELETE|DROP)/gi,
+        severity: 'critical',
+        description: 'Potential SQL injection: User input concatenated into SQL query',
+        cwe: 'CWE-89',
+        languages: ['ts', 'js', 'py']
+    },
+    {
+        type: 'sql_injection',
+        regex: /\.query\s*\(\s*['"`].*\+.*\+.*['"`]\s*\)/g,
+        severity: 'critical',
+        description: 'SQL query built with string concatenation',
+        cwe: 'CWE-89',
+        languages: ['ts', 'js']
+    },
+    // XSS
+    {
+        type: 'xss',
+        regex: /innerHTML\s*=\s*(?!\s*['"`]\s*['"`])[^;]+/g,
+        severity: 'high',
+        description: 'Potential XSS: innerHTML assignment with dynamic content',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js', 'tsx', 'jsx']
+    },
+    {
+        type: 'xss',
+        regex: /dangerouslySetInnerHTML\s*=\s*\{/g,
+        severity: 'high',
+        description: 'dangerouslySetInnerHTML usage (ensure content is sanitized)',
+        cwe: 'CWE-79',
+        languages: ['tsx', 'jsx']
+    },
+    {
+        type: 'xss',
+        regex: /document\.write\s*\(/g,
+        severity: 'high',
+        description: 'document.write is dangerous for XSS',
+        cwe: 'CWE-79',
+        languages: ['ts', 'js']
+    },
+    // Path Traversal
+    {
+        type: 'path_traversal',
+        regex: /(?:readFile|writeFile|readdir|unlink|rmdir)\s*\([^)]*(?:req\.(?:params|query|body)|\.\.\/)/g,
+        severity: 'high',
+        description: 'Potential path traversal: File operation with user input',
+        cwe: 'CWE-22',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'path_traversal',
+        regex: /path\.join\s*\([^)]*req\./g,
+        severity: 'medium',
+        description: 'path.join with request data (verify input sanitization)',
+        cwe: 'CWE-22',
+        languages: ['ts', 'js']
+    },
+    // Hardcoded Secrets
+    {
+        type: 'hardcoded_secrets',
+        regex: /(?:password|secret|api_key|apikey|auth_token|access_token|private_key)\s*[:=]\s*['"][^'"]{8,}['"]/gi,
+        severity: 'critical',
+        description: 'Hardcoded secret detected in code',
+        cwe: 'CWE-798',
+        languages: ['ts', 'js', 'py', 'java', 'go']
+    },
+    {
+        type: 'hardcoded_secrets',
+        regex: /(?:sk-|pk-|rk-|ghp_|gho_|ghu_|ghs_|ghr_)[a-zA-Z0-9]{20,}/g,
+        severity: 'critical',
+        description: 'API key pattern detected (OpenAI, GitHub, etc.)',
+        cwe: 'CWE-798',
+        languages: ['*']
+    },
+    {
+        type: 'hardcoded_secrets',
+        regex: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+        severity: 'critical',
+        description: 'Private key embedded in source code',
+        cwe: 'CWE-798',
+        languages: ['*']
+    },
+    // Insecure Randomness
+    {
+        type: 'insecure_randomness',
+        regex: /Math\.random\s*\(\s*\)/g,
+        severity: 'medium',
+        description: 'Math.random() is not cryptographically secure',
+        cwe: 'CWE-338',
+        languages: ['ts', 'js', 'tsx', 'jsx']
+    },
+    // Command Injection
+    {
+        type: 'command_injection',
+        regex: /(?:exec|spawn|execSync|spawnSync)\s*\([^)]*(?:req\.|`.*\$\{)/g,
+        severity: 'critical',
+        description: 'Potential command injection: shell execution with user input',
+        cwe: 'CWE-78',
+        languages: ['ts', 'js']
+    },
+    {
+        type: 'command_injection',
+        regex: /child_process.*\s*\.\s*(?:exec|spawn)\s*\(/g,
+        severity: 'high',
+        description: 'child_process usage detected (verify input sanitization)',
+        cwe: 'CWE-78',
+        languages: ['ts', 'js']
+    },
+];
+export class SecurityPatternsGate extends Gate {
+    config;
+    severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    constructor(config = {}) {
+        super('security-patterns', 'Security Pattern Detection');
+        this.config = {
+            enabled: config.enabled ?? false,
+            sql_injection: config.sql_injection ?? true,
+            xss: config.xss ?? true,
+            path_traversal: config.path_traversal ?? true,
+            hardcoded_secrets: config.hardcoded_secrets ?? true,
+            insecure_randomness: config.insecure_randomness ?? true,
+            command_injection: config.command_injection ?? true,
+            block_on_severity: config.block_on_severity ?? 'high',
+        };
+    }
+    async run(context) {
+        if (!this.config.enabled) {
+            return [];
+        }
+        const failures = [];
+        const vulnerabilities = [];
+        const files = await FileScanner.findFiles({
+            cwd: context.cwd,
+            patterns: ['**/*.{ts,js,tsx,jsx,py,java,go}'],
+        });
+        Logger.info(`Security Patterns Gate: Scanning ${files.length} files`);
+        for (const file of files) {
+            try {
+                const fullPath = path.join(context.cwd, file);
+                const content = await fs.readFile(fullPath, 'utf-8');
+                const ext = path.extname(file).slice(1);
+                this.scanFileForVulnerabilities(content, file, ext, vulnerabilities);
+            }
+            catch (e) { }
+        }
+        // Filter by enabled checks
+        const filteredVulns = vulnerabilities.filter(v => {
+            switch (v.type) {
+                case 'sql_injection': return this.config.sql_injection;
+                case 'xss': return this.config.xss;
+                case 'path_traversal': return this.config.path_traversal;
+                case 'hardcoded_secrets': return this.config.hardcoded_secrets;
+                case 'insecure_randomness': return this.config.insecure_randomness;
+                case 'command_injection': return this.config.command_injection;
+                default: return true;
+            }
+        });
+        // Sort by severity
+        filteredVulns.sort((a, b) => this.severityOrder[a.severity] - this.severityOrder[b.severity]);
+        // Convert to failures based on block_on_severity threshold
+        const blockThreshold = this.severityOrder[this.config.block_on_severity ?? 'high'];
+        for (const vuln of filteredVulns) {
+            if (this.severityOrder[vuln.severity] <= blockThreshold) {
+                failures.push(this.createFailure(`[${vuln.cwe}] ${vuln.description} at line ${vuln.line}`, [vuln.file], `Found: "${vuln.match.slice(0, 60)}..." - Use parameterized queries/sanitization.`, `Security: ${vuln.type.replace('_', ' ').toUpperCase()}`));
+            }
+        }
+        if (filteredVulns.length > 0 && failures.length === 0) {
+            // Vulnerabilities found but below threshold - log info
+            Logger.info(`Security scan found ${filteredVulns.length} issues below ${this.config.block_on_severity} threshold`);
+        }
+        return failures;
+    }
+    scanFileForVulnerabilities(content, file, ext, vulnerabilities) {
+        const lines = content.split('\n');
+        for (const pattern of VULNERABILITY_PATTERNS) {
+            // Check if pattern applies to this file type
+            if (!pattern.languages.includes('*') && !pattern.languages.includes(ext)) {
+                continue;
+            }
+            // Reset regex state
+            pattern.regex.lastIndex = 0;
+            let match;
+            while ((match = pattern.regex.exec(content)) !== null) {
+                // Find line number
+                const beforeMatch = content.slice(0, match.index);
+                const lineNumber = beforeMatch.split('\n').length;
+                vulnerabilities.push({
+                    type: pattern.type,
+                    severity: pattern.severity,
+                    file,
+                    line: lineNumber,
+                    match: match[0],
+                    description: pattern.description,
+                    cwe: pattern.cwe,
+                });
+            }
+        }
+    }
+}
+/**
+ * Quick helper to check a single file for security issues
+ */
+export async function checkSecurityPatterns(filePath, config = { enabled: true }) {
+    const gate = new SecurityPatternsGate(config);
+    const content = await fs.readFile(filePath, 'utf-8');
+    const ext = path.extname(filePath).slice(1);
+    const vulnerabilities = [];
+    // Use the private method via reflection for testing
+    gate.scanFileForVulnerabilities(content, filePath, ext, vulnerabilities);
+    return vulnerabilities;
+}

package/dist/gates/security-patterns.test.d.ts

@@ -0,0 +1 @@
+export {};