@rigour-labs/core 2.21.2 → 3.0.0

package/README.md

@@ -0,0 +1,58 @@
+# @rigour-labs/core
+
+[![npm version](https://img.shields.io/npm/v/@rigour-labs/core?color=cyan)](https://www.npmjs.com/package/@rigour-labs/core)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+**Deterministic quality gate engine for AI-generated code.**
+
+The core library powering [Rigour](https://rigour.run) — AST analysis, AI drift detection, security scanning, and Fix Packet generation across TypeScript, JavaScript, Python, Go, Ruby, and C#/.NET.
+
+> This package is the engine. For the CLI, use [`@rigour-labs/cli`](https://www.npmjs.com/package/@rigour-labs/cli). For MCP integration, use [`@rigour-labs/mcp`](https://www.npmjs.com/package/@rigour-labs/mcp).
+
+## What's Inside
+
+### 23 Quality Gates
+
+**Structural:** File size, cyclomatic complexity, method count, parameter count, nesting depth, required docs, content hygiene.
+
+**Security:** Hardcoded secrets, SQL injection, XSS, command injection, path traversal.
+
+**AI-Native Drift Detection:** Duplication drift, hallucinated imports, inconsistent error handling, context window artifacts, async & error safety (promise safety).
+
+**Agent Governance:** Multi-agent scope isolation, checkpoint supervision, context drift, retry loop breaker.
+
+### Multi-Language Support
+
+All gates support: TypeScript, JavaScript, Python, Go, Ruby, and C#/.NET.
+
+### Two-Score System
+
+Every failure carries a **provenance tag** (`ai-drift`, `traditional`, `security`, `governance`) and contributes to two sub-scores:
+
+- **AI Health Score** (0–100) — AI-specific failures
+- **Structural Score** (0–100) — Traditional code quality
+
+### Fix Packets (v2)
+
+Machine-readable JSON diagnostics with severity, provenance, file, line number, and step-by-step remediation instructions that AI agents can consume directly.
+
+## Usage
+
+```typescript
+import { GateRunner } from '@rigour-labs/core';
+
+const runner = new GateRunner(config, projectRoot);
+const report = await runner.run();
+
+console.log(report.pass);      // true or false
+console.log(report.score);     // 0-100
+console.log(report.failures);  // Failure[]
+```
+
+## Documentation
+
+**[Full docs at docs.rigour.run](https://docs.rigour.run)**
+
+## License
+
+MIT © [Rigour Labs](https://github.com/rigour-labs)

package/dist/context.test.js

@@ -2,9 +2,8 @@ import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import { GateRunner } from '../src/gates/runner.js';
 import fs from 'fs-extra';
 import path from 'path';
-import { fileURLToPath } from 'url';
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const TEST_CWD = path.join(__dirname, '../temp-test-context');
+import os from 'os';
+const TEST_CWD = path.join(os.tmpdir(), 'rigour-temp-test-context-' + process.pid);
 describe('Context Awareness Engine', () => {
     beforeAll(async () => {
         await fs.ensureDir(TEST_CWD);

package/dist/environment.test.js

@@ -3,8 +3,9 @@ import { GateRunner } from './gates/runner.js';
 import { ConfigSchema } from './types/index.js';
 import fs from 'fs-extra';
 import path from 'path';
+import os from 'os';
 describe('Environment Alignment Gate', () => {
-    const testDir = path.join(process.cwd(), 'temp-test-env');
+    const testDir = path.join(os.tmpdir(), 'rigour-temp-test-env-' + process.pid);
     beforeEach(async () => {
         await fs.ensureDir(testDir);
     });

package/dist/gates/agent-team.d.ts

@@ -12,7 +12,7 @@
  * @since v2.14.0
  */
 import { Gate, GateContext } from './base.js';
-import { Failure } from '../types/index.js';
+import { Failure, Provenance } from '../types/index.js';
 export interface AgentRegistration {
     agentId: string;
     taskScope: string[];
@@ -46,5 +46,6 @@ export declare function clearSession(cwd: string): void;
 export declare class AgentTeamGate extends Gate {
     private config;
     constructor(config?: AgentTeamConfig);
+    protected get provenance(): Provenance;
     run(context: GateContext): Promise<Failure[]>;
 }

package/dist/gates/agent-team.js

@@ -120,6 +120,7 @@ export class AgentTeamGate extends Gate {
             task_ownership: config.task_ownership ?? 'strict',
         };
     }
+    get provenance() { return 'governance'; }
     async run(context) {
         if (!this.config.enabled) {
             return [];

package/dist/gates/base.d.ts

@@ -1,5 +1,5 @@
 import { GoldenRecord } from '../services/context-engine.js';
-import { Failure } from '../types/index.js';
+import { Failure, Severity, Provenance } from '../types/index.js';
 export interface GateContext {
     cwd: string;
     record?: GoldenRecord;
@@ -11,5 +11,7 @@ export declare abstract class Gate {
     readonly title: string;
     constructor(id: string, title: string);
     abstract run(context: GateContext): Promise<Failure[]>;
-    protected createFailure(details: string, files?: string[], hint?: string, title?: string, line?: number, endLine?: number): Failure;
+    /** Default provenance for this gate — subclasses override */
+    protected get provenance(): Provenance;
+    protected createFailure(details: string, files?: string[], hint?: string, title?: string, line?: number, endLine?: number, severity?: Severity): Failure;
 }

package/dist/gates/base.js

@@ -5,11 +5,15 @@ export class Gate {
         this.id = id;
         this.title = title;
     }
-    createFailure(details, files, hint, title, line, endLine) {
+    /** Default provenance for this gate — subclasses override */
+    get provenance() { return 'traditional'; }
+    createFailure(details, files, hint, title, line, endLine, severity) {
         return {
             id: this.id,
             title: title || this.title,
             details,
+            severity: severity || 'medium',
+            provenance: this.provenance,
             files,
             line,
             endLine,

package/dist/gates/checkpoint.d.ts

@@ -13,7 +13,7 @@
  * @since v2.14.0
  */
 import { Gate, GateContext } from './base.js';
-import { Failure } from '../types/index.js';
+import { Failure, Provenance } from '../types/index.js';
 export interface CheckpointEntry {
     checkpointId: string;
     timestamp: Date;
@@ -68,5 +68,6 @@ export declare function clearCheckpointSession(cwd: string): void;
 export declare class CheckpointGate extends Gate {
     private config;
     constructor(config?: CheckpointConfig);
+    protected get provenance(): Provenance;
     run(context: GateContext): Promise<Failure[]>;
 }

package/dist/gates/checkpoint.js

@@ -198,6 +198,7 @@ export class CheckpointGate extends Gate {
             auto_save_on_failure: config.auto_save_on_failure ?? true,
         };
     }
+    get provenance() { return 'governance'; }
     async run(context) {
         if (!this.config.enabled) {
             return [];
@@ -217,13 +218,13 @@ export class CheckpointGate extends Gate {
         // Check 2: Quality threshold
         const lastCheckpoint = session.checkpoints[session.checkpoints.length - 1];
         if (lastCheckpoint.qualityScore < (this.config.quality_threshold ?? 80)) {
-            failures.push(this.createFailure(`Quality score ${lastCheckpoint.qualityScore}% is below threshold ${this.config.quality_threshold}%`, lastCheckpoint.filesChanged, 'Review recent changes and address quality issues before continuing', 'Quality Below Threshold'));
+            failures.push(this.createFailure(`Quality score ${lastCheckpoint.qualityScore}% is below threshold ${this.config.quality_threshold}%`, lastCheckpoint.filesChanged, 'Review recent changes and address quality issues before continuing', 'Quality Below Threshold', undefined, undefined, 'high'));
         }
         // Check 3: Drift detection
         if (this.config.drift_detection) {
             const { hasDrift, trend } = detectDrift(session.checkpoints);
             if (hasDrift && trend === 'degrading') {
-                failures.push(this.createFailure(`Quality drift detected: scores are degrading over time`, undefined, 'Agent performance is declining. Consider pausing and reviewing recent work.', 'Quality Drift Detected'));
+                failures.push(this.createFailure(`Quality drift detected: scores are degrading over time`, undefined, 'Agent performance is declining. Consider pausing and reviewing recent work.', 'Quality Drift Detected', undefined, undefined, 'high'));
             }
         }
         return failures;

package/dist/gates/content.js

@@ -26,7 +26,7 @@ export class ContentGate extends Gate {
             lines.forEach((line, index) => {
                 for (const pattern of patterns) {
                     if (pattern.test(line)) {
-                        failures.push(this.createFailure(`Forbidden placeholder '${pattern.source}' found`, [file], 'Remove forbidden comments. address the root cause or create a tracked issue.', undefined, index + 1, index + 1));
+                        failures.push(this.createFailure(`Forbidden placeholder '${pattern.source}' found`, [file], 'Remove forbidden comments. address the root cause or create a tracked issue.', undefined, index + 1, index + 1, 'info'));
                     }
                 }
             });

package/dist/gates/context-window-artifacts.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Context Window Artifacts Gate
+ *
+ * Detects quality degradation patterns within a single file that emerge
+ * when AI loses context mid-generation. The telltale sign: clean,
+ * well-structured code at the top of a file that gradually degrades
+ * toward the bottom.
+ *
+ * Detection signals:
+ * 1. Comment density drops sharply (top half vs bottom half)
+ * 2. Function complexity increases toward end of file
+ * 3. Variable naming quality degrades (shorter names, more single-letter vars)
+ * 4. Error handling becomes sparser toward the bottom
+ * 5. Code style inconsistencies emerge (indentation, spacing)
+ *
+ * @since v2.16.0
+ */
+import { Gate, GateContext } from './base.js';
+import { Failure, Provenance } from '../types/index.js';
+export interface ContextWindowArtifactsConfig {
+    enabled?: boolean;
+    min_file_lines?: number;
+    degradation_threshold?: number;
+    signals_required?: number;
+}
+export declare class ContextWindowArtifactsGate extends Gate {
+    private config;
+    constructor(config?: ContextWindowArtifactsConfig);
+    protected get provenance(): Provenance;
+    run(context: GateContext): Promise<Failure[]>;
+    private analyzeFile;
+    private measureHalf;
+    private measureFunctionLengths;
+}

package/dist/gates/context-window-artifacts.js

@@ -0,0 +1,214 @@
+/**
+ * Context Window Artifacts Gate
+ *
+ * Detects quality degradation patterns within a single file that emerge
+ * when AI loses context mid-generation. The telltale sign: clean,
+ * well-structured code at the top of a file that gradually degrades
+ * toward the bottom.
+ *
+ * Detection signals:
+ * 1. Comment density drops sharply (top half vs bottom half)
+ * 2. Function complexity increases toward end of file
+ * 3. Variable naming quality degrades (shorter names, more single-letter vars)
+ * 4. Error handling becomes sparser toward the bottom
+ * 5. Code style inconsistencies emerge (indentation, spacing)
+ *
+ * @since v2.16.0
+ */
+import { Gate } from './base.js';
+import { FileScanner } from '../utils/scanner.js';
+import { Logger } from '../utils/logger.js';
+import fs from 'fs-extra';
+import path from 'path';
+export class ContextWindowArtifactsGate extends Gate {
+    config;
+    constructor(config = {}) {
+        super('context-window-artifacts', 'Context Window Artifact Detection');
+        this.config = {
+            enabled: config.enabled ?? true,
+            min_file_lines: config.min_file_lines ?? 100,
+            degradation_threshold: config.degradation_threshold ?? 0.4,
+            signals_required: config.signals_required ?? 2,
+        };
+    }
+    get provenance() { return 'ai-drift'; }
+    async run(context) {
+        if (!this.config.enabled)
+            return [];
+        const failures = [];
+        const files = await FileScanner.findFiles({
+            cwd: context.cwd,
+            patterns: ['**/*.{ts,js,tsx,jsx,py}'],
+            ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/*.test.*', '**/*.spec.*', '**/*.min.*'],
+        });
+        Logger.info(`Context Window Artifacts: Scanning ${files.length} files`);
+        for (const file of files) {
+            try {
+                const content = await fs.readFile(path.join(context.cwd, file), 'utf-8');
+                const lines = content.split('\n');
+                if (lines.length < this.config.min_file_lines)
+                    continue;
+                const metrics = this.analyzeFile(content, file);
+                if (metrics && metrics.signals.length >= this.config.signals_required &&
+                    metrics.degradationScore >= this.config.degradation_threshold) {
+                    const signalList = metrics.signals.map(s => `  • ${s}`).join('\n');
+                    const midpoint = Math.floor(metrics.totalLines / 2);
+                    failures.push(this.createFailure(`Context window artifact detected in ${file} (${metrics.totalLines} lines, degradation: ${(metrics.degradationScore * 100).toFixed(0)}%):\n${signalList}`, [file], `This file shows quality degradation from top to bottom, a pattern typical of AI context window exhaustion. Consider refactoring the bottom half or splitting the file. The quality drop begins around line ${midpoint}.`, 'Context Window Artifacts', midpoint, undefined, 'high'));
+                }
+            }
+            catch (e) { }
+        }
+        return failures;
+    }
+    analyzeFile(content, file) {
+        const lines = content.split('\n');
+        const midpoint = Math.floor(lines.length / 2);
+        const topContent = lines.slice(0, midpoint).join('\n');
+        const bottomContent = lines.slice(midpoint).join('\n');
+        const topMetrics = this.measureHalf(topContent);
+        const bottomMetrics = this.measureHalf(bottomContent);
+        const signals = [];
+        let degradationScore = 0;
+        // Signal 1: Comment density drops (use threshold to avoid tiny-denominator noise)
+        if (topMetrics.commentDensity > 0.01) {
+            const commentRatio = bottomMetrics.commentDensity / topMetrics.commentDensity;
+            if (commentRatio < 0.5) {
+                signals.push(`Comment density drops ${((1 - commentRatio) * 100).toFixed(0)}% in bottom half`);
+                degradationScore += 0.25;
+            }
+        }
+        // Signal 2: Function length increases
+        if (topMetrics.avgFunctionLength > 0 && bottomMetrics.avgFunctionLength > 0) {
+            const lengthRatio = bottomMetrics.avgFunctionLength / topMetrics.avgFunctionLength;
+            if (lengthRatio > 1.5) {
+                signals.push(`Average function length ${lengthRatio.toFixed(1)}x longer in bottom half`);
+                degradationScore += 0.2;
+            }
+        }
+        // Signal 3: Variable naming quality degrades
+        if (bottomMetrics.singleCharVarCount > topMetrics.singleCharVarCount * 2 &&
+            bottomMetrics.singleCharVarCount >= 3) {
+            signals.push(`${bottomMetrics.singleCharVarCount} single-char variables in bottom half vs ${topMetrics.singleCharVarCount} in top`);
+            degradationScore += 0.2;
+        }
+        // Signal 3b: Average identifier length shrinks
+        if (topMetrics.avgIdentifierLength > 0 && bottomMetrics.avgIdentifierLength > 0) {
+            const nameRatio = bottomMetrics.avgIdentifierLength / topMetrics.avgIdentifierLength;
+            if (nameRatio < 0.7) {
+                signals.push(`Identifier names ${((1 - nameRatio) * 100).toFixed(0)}% shorter in bottom half`);
+                degradationScore += 0.15;
+            }
+        }
+        // Signal 4: Error handling becomes sparser
+        if (topMetrics.errorHandlingDensity > 0) {
+            const errorRatio = bottomMetrics.errorHandlingDensity / topMetrics.errorHandlingDensity;
+            if (errorRatio < 0.3) {
+                signals.push(`Error handling ${((1 - errorRatio) * 100).toFixed(0)}% less frequent in bottom half`);
+                degradationScore += 0.2;
+            }
+        }
+        // Signal 5: Empty blocks increase
+        if (bottomMetrics.emptyBlockCount > topMetrics.emptyBlockCount + 2) {
+            signals.push(`${bottomMetrics.emptyBlockCount} empty blocks in bottom half vs ${topMetrics.emptyBlockCount} in top`);
+            degradationScore += 0.15;
+        }
+        // Signal 6: TODO/FIXME/HACK density increases at bottom
+        if (bottomMetrics.todoCount > topMetrics.todoCount + 1) {
+            signals.push(`${bottomMetrics.todoCount} TODO/FIXME/HACK in bottom half vs ${topMetrics.todoCount} in top`);
+            degradationScore += 0.1;
+        }
+        // Cap at 1.0
+        degradationScore = Math.min(1.0, degradationScore);
+        return {
+            file,
+            totalLines: lines.length,
+            topHalf: topMetrics,
+            bottomHalf: bottomMetrics,
+            degradationScore,
+            signals,
+        };
+    }
+    measureHalf(content) {
+        const lines = content.split('\n');
+        const codeLines = lines.filter(l => l.trim() && !l.trim().startsWith('//') && !l.trim().startsWith('#') && !l.trim().startsWith('*'));
+        // Only count inline comments (//), not JSDoc/block comments (/** ... */ or * ...)
+        // JSDoc tends to cluster at file top, skewing "degradation" unfairly
+        const commentLines = lines.filter(l => {
+            const trimmed = l.trim();
+            return trimmed.startsWith('//') || trimmed.startsWith('#');
+        });
+        // Comment density
+        const commentDensity = codeLines.length > 0 ? commentLines.length / codeLines.length : 0;
+        // Function lengths
+        const funcLengths = this.measureFunctionLengths(content);
+        const avgFunctionLength = funcLengths.length > 0
+            ? funcLengths.reduce((a, b) => a + b, 0) / funcLengths.length
+            : 0;
+        // Single-char variables (excluding common loop vars i, j, k in for loops)
+        const singleCharMatches = content.match(/\b(?:const|let|var)\s+([a-z])\b/g) || [];
+        const singleCharVarCount = singleCharMatches.length;
+        // Error handling density
+        const tryCount = (content.match(/\btry\s*\{/g) || []).length;
+        const funcCount = Math.max(1, funcLengths.length);
+        const errorHandlingDensity = tryCount / funcCount;
+        // Empty blocks
+        const emptyBlockCount = (content.match(/\{\s*\}/g) || []).length;
+        // TODO/FIXME/HACK count
+        const todoCount = (content.match(/\b(TODO|FIXME|HACK|XXX)\b/gi) || []).length;
+        // Average identifier length
+        const identifiers = content.match(/\b(?:const|let|var|function)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)/g) || [];
+        const identNames = identifiers.map(m => {
+            const parts = m.split(/\s+/);
+            return parts[parts.length - 1];
+        });
+        const avgIdentifierLength = identNames.length > 0
+            ? identNames.reduce((sum, n) => sum + n.length, 0) / identNames.length
+            : 0;
+        return {
+            commentDensity,
+            avgFunctionLength,
+            singleCharVarCount,
+            errorHandlingDensity,
+            emptyBlockCount,
+            todoCount,
+            avgIdentifierLength,
+        };
+    }
+    measureFunctionLengths(content) {
+        const lines = content.split('\n');
+        const lengths = [];
+        const funcStarts = [
+            /^(?:export\s+)?(?:async\s+)?function\s+\w+/,
+            /^(?:export\s+)?(?:const|let|var)\s+\w+\s*=\s*(?:async\s+)?(?:\([^)]*\)|\w+)\s*=>/,
+            /^\s+(?:async\s+)?\w+\s*\([^)]*\)\s*\{/,
+        ];
+        for (let i = 0; i < lines.length; i++) {
+            for (const pattern of funcStarts) {
+                if (pattern.test(lines[i])) {
+                    // Count function body length
+                    let braceDepth = 0;
+                    let started = false;
+                    let bodyLines = 0;
+                    for (let j = i; j < lines.length; j++) {
+                        for (const ch of lines[j]) {
+                            if (ch === '{') {
+                                braceDepth++;
+                                started = true;
+                            }
+                            if (ch === '}')
+                                braceDepth--;
+                        }
+                        if (started)
+                            bodyLines++;
+                        if (started && braceDepth === 0)
+                            break;
+                    }
+                    if (bodyLines > 0)
+                        lengths.push(bodyLines);
+                    break;
+                }
+            }
+        }
+        return lengths;
+    }
+}

package/dist/gates/context.d.ts

@@ -1,5 +1,5 @@
 import { Gate, GateContext } from './base.js';
-import { Failure, Gates } from '../types/index.js';
+import { Failure, Gates, Provenance } from '../types/index.js';
 /**
  * Extended Context Configuration (v2.14+)
  * For 1M token frontier models like Opus 4.6
@@ -17,6 +17,7 @@ export declare class ContextGate extends Gate {
     private config;
     private extendedConfig;
     constructor(config: Gates);
+    protected get provenance(): Provenance;
     run(context: GateContext): Promise<Failure[]>;
     private checkEnvDrift;
     /**

package/dist/gates/context.js

@@ -18,6 +18,7 @@ export class ContextGate extends Gate {
             max_cross_file_depth: 50,
         };
     }
+    get provenance() { return 'ai-drift'; }
     async run(context) {
         const failures = [];
         const record = context.record;
@@ -61,7 +62,7 @@ export class ContextGate extends Gate {
                 // it's a potential "invented" redundancy (e.g. CORE_URL vs CORE_URL_PROD)
                 if (accessedVar !== anchor.id && accessedVar.includes(anchor.id)) {
                     const deviation = accessedVar.replace(anchor.id, '').replace(/^_|_$/, '');
-                    failures.push(this.createFailure(`Context Drift: Redundant variation '${accessedVar}' detected in ${file}.`, [file], `The project already uses '${anchor.id}' as a standard anchor. Avoid inventing variations like '${deviation}'. Reuse the existing anchor or align with established project patterns.`));
+                    failures.push(this.createFailure(`Context Drift: Redundant variation '${accessedVar}' detected in ${file}.`, [file], `The project already uses '${anchor.id}' as a standard anchor. Avoid inventing variations like '${deviation}'. Reuse the existing anchor or align with established project patterns.`, undefined, undefined, undefined, 'high'));
                 }
             }
         }
@@ -140,7 +141,7 @@ export class ContextGate extends Gate {
                 if (casing !== dominant && count > threshold) {
                     const violatingFiles = entries.filter(e => e.casing === casing).map(e => e.file);
                     const uniqueFiles = [...new Set(violatingFiles)].slice(0, 5);
-                    failures.push(this.createFailure(`Cross-file naming inconsistency: ${type} names use ${casing} in ${count} places (dominant is ${dominant})`, uniqueFiles, `Standardize ${type} naming to ${dominant}. Found ${casing} in: ${uniqueFiles.join(', ')}`, 'Naming Convention Drift'));
+                    failures.push(this.createFailure(`Cross-file naming inconsistency: ${type} names use ${casing} in ${count} places (dominant is ${dominant})`, uniqueFiles, `Standardize ${type} naming to ${dominant}. Found ${casing} in: ${uniqueFiles.join(', ')}`, 'Naming Convention Drift', undefined, undefined, 'high'));
                 }
             }
         }
@@ -175,7 +176,7 @@ export class ContextGate extends Gate {
             }
         }
         if (mixedFiles.length > 3) {
-            failures.push(this.createFailure(`Cross-file import inconsistency: ${mixedFiles.length} files mix relative and absolute imports`, mixedFiles.slice(0, 5), 'Standardize import style across the codebase. Use either relative (./foo) or path aliases (@/foo) consistently.', 'Import Pattern Drift'));
+            failures.push(this.createFailure(`Cross-file import inconsistency: ${mixedFiles.length} files mix relative and absolute imports`, mixedFiles.slice(0, 5), 'Standardize import style across the codebase. Use either relative (./foo) or path aliases (@/foo) consistently.', 'Import Pattern Drift', undefined, undefined, 'high'));
         }
     }
     /**

package/dist/gates/coverage.js

@@ -35,7 +35,9 @@ export class CoverageGate extends Gate {
                     title: `Low coverage for high-risk file: ${file}`,
                     details: `Current coverage: ${coverage.toFixed(2)}%. Required: ${threshold}% due to structural risk.`,
                     files: [file],
-                    hint: `Add dynamic tests to cover complex logical branches in this file.`
+                    hint: `Add dynamic tests to cover complex logical branches in this file.`,
+                    severity: 'medium',
+                    provenance: 'traditional'
                 });
             }
         }

package/dist/gates/dependency.js

@@ -25,7 +25,7 @@ export class DependencyGate extends Gate {
                 };
                 for (const dep of forbidden) {
                     if (allDeps[dep]) {
-                        failures.push(this.createFailure(`The package '${dep}' is forbidden by project standards.`, ['package.json'], `Remove '${dep}' from package.json and use approved alternatives.`, 'Forbidden Dependency'));
+                        failures.push(this.createFailure(`The package '${dep}' is forbidden by project standards.`, ['package.json'], `Remove '${dep}' from package.json and use approved alternatives.`, 'Forbidden Dependency', undefined, undefined, 'medium'));
                     }
                 }
             }
@@ -37,7 +37,7 @@ export class DependencyGate extends Gate {
             const content = await fs.readFile(reqPath, 'utf-8');
             for (const dep of forbidden) {
                 if (new RegExp(`^${dep}([=<>! ]|$)`, 'm').test(content)) {
-                    failures.push(this.createFailure(`The Python package '${dep}' is forbidden.`, ['requirements.txt'], `Remove '${dep}' from requirements.txt.`, 'Forbidden Dependency'));
+                    failures.push(this.createFailure(`The Python package '${dep}' is forbidden.`, ['requirements.txt'], `Remove '${dep}' from requirements.txt.`, 'Forbidden Dependency', undefined, undefined, 'medium'));
                 }
             }
         }
@@ -46,7 +46,7 @@ export class DependencyGate extends Gate {
             const content = await fs.readFile(pyprojPath, 'utf-8');
             for (const dep of forbidden) {
                 if (new RegExp(`^${dep}\\s*=`, 'm').test(content)) {
-                    failures.push(this.createFailure(`The Python package '${dep}' is forbidden in pyproject.toml.`, ['pyproject.toml'], `Remove '${dep}' from pyproject.toml dependencies.`, 'Forbidden Dependency'));
+                    failures.push(this.createFailure(`The Python package '${dep}' is forbidden in pyproject.toml.`, ['pyproject.toml'], `Remove '${dep}' from pyproject.toml dependencies.`, 'Forbidden Dependency', undefined, undefined, 'medium'));
                 }
             }
         }
@@ -56,7 +56,7 @@ export class DependencyGate extends Gate {
             const content = await fs.readFile(goModPath, 'utf-8');
             for (const dep of forbidden) {
                 if (content.includes(dep)) {
-                    failures.push(this.createFailure(`The Go module '${dep}' is forbidden.`, ['go.mod'], `Remove '${dep}' from go.mod.`, 'Forbidden Dependency'));
+                    failures.push(this.createFailure(`The Go module '${dep}' is forbidden.`, ['go.mod'], `Remove '${dep}' from go.mod.`, 'Forbidden Dependency', undefined, undefined, 'medium'));
                 }
             }
         }
@@ -66,7 +66,7 @@ export class DependencyGate extends Gate {
             const content = await fs.readFile(pomPath, 'utf-8');
             for (const dep of forbidden) {
                 if (content.includes(`<artifactId>${dep}</artifactId>`)) {
-                    failures.push(this.createFailure(`The Java artifact '${dep}' is forbidden.`, ['pom.xml'], `Remove '${dep}' from pom.xml.`, 'Forbidden Dependency'));
+                    failures.push(this.createFailure(`The Java artifact '${dep}' is forbidden.`, ['pom.xml'], `Remove '${dep}' from pom.xml.`, 'Forbidden Dependency', undefined, undefined, 'medium'));
                 }
             }
         }

package/dist/gates/duplication-drift.d.ts

@@ -0,0 +1,33 @@
+/**
+ * Duplication Drift Gate
+ *
+ * Detects when AI generates near-identical functions across files because
+ * it doesn't remember what it already wrote. This is an AI-specific failure
+ * mode — humans reuse via copy-paste (same file), AI re-invents (cross-file).
+ *
+ * Detection strategy:
+ * 1. Extract all function bodies (normalized: strip whitespace, comments)
+ * 2. Compare function signatures + body hashes across files
+ * 3. Flag functions with >80% similarity in different files
+ *
+ * @since v2.16.0
+ */
+import { Gate, GateContext } from './base.js';
+import { Failure, Provenance } from '../types/index.js';
+export interface DuplicationDriftConfig {
+    enabled?: boolean;
+    similarity_threshold?: number;
+    min_body_lines?: number;
+}
+export declare class DuplicationDriftGate extends Gate {
+    private config;
+    constructor(config?: DuplicationDriftConfig);
+    protected get provenance(): Provenance;
+    run(context: GateContext): Promise<Failure[]>;
+    private extractJSFunctions;
+    private extractPyFunctions;
+    private extractFunctionBody;
+    private normalizeBody;
+    private hash;
+    private findDuplicateGroups;
+}