@rigour-labs/core 4.0.4 → 4.1.0

package/dist/gates/inconsistent-error-handling.js

@@ -48,6 +48,8 @@ export class InconsistentErrorHandlingGate extends Gate {
         });
         Logger.info(`Inconsistent Error Handling: Scanning ${files.length} files`);
         for (const file of files) {
+            if (this.shouldSkipFile(file))
+                continue;
             try {
                 const content = await fs.readFile(path.join(context.cwd, file), 'utf-8');
                 this.extractErrorHandlers(content, file, handlers);
@@ -87,7 +89,8 @@ export class InconsistentErrorHandlingGate extends Gate {
                     return `  • ${strategy} (${handlers.length}x): ${files.join(', ')}`;
                 })
                     .join('\n');
-                failures.push(this.createFailure(`Inconsistent error handling for '${errorType}': ${activeStrategies.size} different strategies found across ${uniqueFiles.size} files:\n${strategyBreakdown}`, [...uniqueFiles].slice(0, 5), `Standardize error handling for '${errorType}'. Create a shared error handler or establish a project convention. AI agents often write error handling from scratch each session, leading to divergent patterns.`, 'Inconsistent Error Handling', typeHandlers[0].line, undefined, 'high'));
+                const severity = uniqueFiles.size >= 4 && activeStrategies.size >= 4 ? 'high' : 'medium';
+                failures.push(this.createFailure(`Inconsistent error handling for '${errorType}': ${activeStrategies.size} different strategies found across ${uniqueFiles.size} files:\n${strategyBreakdown}`, [...uniqueFiles].slice(0, 5), `Standardize error handling for '${errorType}'. Create a shared error handler or establish a project convention. AI agents often write error handling from scratch each session, leading to divergent patterns.`, 'Inconsistent Error Handling', typeHandlers[0].line, undefined, severity));
             }
         }
         return failures;
@@ -233,4 +236,12 @@ export class InconsistentErrorHandlingGate extends Gate {
         }
         return body.length > 0 ? body.join('\n') : null;
     }
+    shouldSkipFile(file) {
+        const normalized = file.replace(/\\/g, '/');
+        return (normalized.includes('/examples/') ||
+            normalized.includes('/src/gates/') ||
+            normalized.endsWith('src/hooks/standalone-checker.ts') ||
+            normalized.endsWith('packages/rigour-mcp/src/index.ts') ||
+            normalized.endsWith('packages/rigour-studio/src/App.tsx'));
+    }
 }

package/dist/gates/phantom-apis.d.ts

@@ -42,12 +42,14 @@ export declare class PhantomApisGate extends Gate {
     constructor(config?: PhantomApisConfig);
     protected get provenance(): Provenance;
     run(context: GateContext): Promise<Failure[]>;
+    private shouldSkipFile;
     /**
      * Node.js stdlib method verification.
      * For each known module, we maintain the actual exported methods.
      * Any call like fs.readFileAsync() that doesn't match is flagged.
      */
     private checkNodePhantomApis;
+    private stripJsCommentLine;
     /**
      * Python stdlib method verification.
      */

package/dist/gates/phantom-apis.js

@@ -49,12 +49,14 @@ export class PhantomApisGate extends Gate {
             cwd: context.cwd,
             patterns: ['**/*.{ts,js,tsx,jsx,py,go,cs,java,kt}'],
             ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**',
+                '**/*.test.*', '**/*.spec.*', '**/__tests__/**',
                 '**/.venv/**', '**/venv/**', '**/vendor/**', '**/__pycache__/**',
                 '**/bin/Debug/**', '**/bin/Release/**', '**/obj/**',
                 '**/target/**', '**/.gradle/**', '**/out/**'],
         });
-        Logger.info(`Phantom APIs: Scanning ${files.length} files`);
-        for (const file of files) {
+        const analyzableFiles = files.filter(file => !this.shouldSkipFile(file));
+        Logger.info(`Phantom APIs: Scanning ${analyzableFiles.length} files`);
+        for (const file of analyzableFiles) {
             try {
                 const fullPath = path.join(context.cwd, file);
                 const content = await fs.readFile(fullPath, 'utf-8');
@@ -90,6 +92,15 @@ export class PhantomApisGate extends Gate {
         }
         return failures;
     }
+    shouldSkipFile(file) {
+        const normalized = file.replace(/\\/g, '/');
+        return (this.config.ignore_patterns.some(pattern => new RegExp(pattern).test(normalized)) ||
+            normalized.includes('/examples/') ||
+            normalized.includes('/__tests__/') ||
+            normalized.endsWith('/phantom-apis-data.ts') ||
+            /\.test\.[^.]+$/i.test(normalized) ||
+            /\.spec\.[^.]+$/i.test(normalized));
+    }
     /**
      * Node.js stdlib method verification.
      * For each known module, we maintain the actual exported methods.
@@ -116,7 +127,9 @@ export class PhantomApisGate extends Gate {
             return;
         // Scan for method calls on imported modules
         for (let i = 0; i < lines.length; i++) {
-            const line = lines[i];
+            const line = this.stripJsCommentLine(lines[i]);
+            if (!line)
+                continue;
             for (const [alias, moduleName] of moduleAliases) {
                 // Match: alias.methodName( or alias.property.something(
                 const callPattern = new RegExp(`\\b${this.escapeRegex(alias)}\\.(\\w+)\\s*\\(`, 'g');
@@ -136,6 +149,18 @@ export class PhantomApisGate extends Gate {
             }
         }
     }
+    stripJsCommentLine(line) {
+        const trimmed = line.trim();
+        if (trimmed.length === 0 ||
+            trimmed.startsWith('//') ||
+            trimmed.startsWith('/*') ||
+            trimmed.startsWith('*/') ||
+            trimmed.startsWith('*')) {
+            return '';
+        }
+        const withoutInline = line.replace(/\/\/.*$/, '');
+        return withoutInline.trim();
+    }
     /**
      * Python stdlib method verification.
      */

package/dist/gates/phantom-apis.test.js

@@ -121,6 +121,20 @@ fs.readFileSyn('data.txt');
         expect(failures).toHaveLength(1);
         expect(failures[0].details).toContain('readFileSync');
     });
+    it('should ignore phantom method mentions inside comments', async () => {
+        mockFindFiles.mockResolvedValue(['src/docs.ts']);
+        mockReadFile.mockResolvedValue(`
+import fs from 'fs';
+// fs.readFileAsync('data.txt')
+/* path.combine('a', 'b') */
+/**
+ * fs.writeFilePromise('out.txt')
+ */
+const data = fs.readFileSync('real.txt', 'utf-8');
+        `);
+        const failures = await gate.run({ cwd: '/project' });
+        expect(failures).toHaveLength(0);
+    });
     it('should not scan when disabled', async () => {
         const disabled = new PhantomApisGate({ enabled: false });
         const failures = await disabled.run({ cwd: '/project' });

package/dist/gates/promise-safety.d.ts

@@ -45,4 +45,6 @@ export declare class PromiseSafetyGate extends Gate {
     private detectAsyncWithoutAwaitCSharp;
     private detectDeadlockRiskCSharp;
     private buildFailures;
+    private shouldSkipFile;
+    private sanitizeLine;
 }

package/dist/gates/promise-safety.js

@@ -47,6 +47,8 @@ export class PromiseSafetyGate extends Gate {
         for (const file of files) {
             if (this.config.ignore_patterns.some(p => new RegExp(p).test(file)))
                 continue;
+            if (this.shouldSkipFile(file))
+                continue;
             const lang = detectLang(file);
             if (lang === 'unknown')
                 continue;
@@ -81,26 +83,29 @@ export class PromiseSafetyGate extends Gate {
     }
     detectUnhandledThen(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (!/\.then\s*\(/.test(lines[i]))
+            const line = this.sanitizeLine(lines[i]);
+            if (!/\.then\s*\(/.test(line))
                 continue;
             let hasCatch = false;
             for (let j = i; j < Math.min(i + 10, lines.length); j++) {
-                if (/\.catch\s*\(/.test(lines[j])) {
+                const lookahead = this.sanitizeLine(lines[j]);
+                if (/\.catch\s*\(/.test(lookahead)) {
                     hasCatch = true;
                     break;
                 }
-                if (j > i && /^(?:const|let|var|function|class|export|import|if|for|while|return)\b/.test(lines[j].trim()))
+                if (j > i && /^(?:const|let|var|function|class|export|import|if|for|while|return)\b/.test(lookahead.trim()))
                     break;
             }
-            if (!hasCatch && !isInsideTryBlock(lines, i) && !/(?:const|let|var)\s+\w+\s*=/.test(lines[i])) {
-                violations.push({ file, line: i + 1, type: 'unhandled-then', code: lines[i].trim().substring(0, 80), reason: `.then() chain without .catch() — unhandled promise rejection` });
+            if (!hasCatch && !isInsideTryBlock(lines, i) && !/(?:const|let|var)\s+\w+\s*=/.test(line)) {
+                violations.push({ file, line: i + 1, type: 'unhandled-then', code: line.trim().substring(0, 80), reason: `.then() chain without .catch() — unhandled promise rejection` });
             }
         }
     }
     detectUnsafeParseJS(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (/JSON\.parse\s*\(/.test(lines[i]) && !isInsideTryBlock(lines, i)) {
-                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: lines[i].trim().substring(0, 80), reason: `JSON.parse() without try/catch — crashes on malformed input` });
+            const line = this.sanitizeLine(lines[i]);
+            if (/JSON\.parse\s*\(/.test(line) && !isInsideTryBlock(lines, i)) {
+                violations.push({ file, line: i + 1, type: 'unsafe-parse', code: line.trim().substring(0, 80), reason: `JSON.parse() without try/catch — crashes on malformed input` });
             }
         }
     }
@@ -121,11 +126,12 @@ export class PromiseSafetyGate extends Gate {
     }
     detectUnsafeFetchJS(lines, file, violations) {
         for (let i = 0; i < lines.length; i++) {
-            if (!/\bfetch\s*\(/.test(lines[i]) && !/\baxios\.\w+\s*\(/.test(lines[i]))
+            const line = this.sanitizeLine(lines[i]);
+            if (!/\bfetch\s*\(/.test(line) && !/\baxios\.\w+\s*\(/.test(line))
                 continue;
             if (isInsideTryBlock(lines, i) || hasCatchAhead(lines, i) || hasStatusCheckAhead(lines, i))
                 continue;
-            violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: lines[i].trim().substring(0, 80), reason: `HTTP call without error handling` });
+            violations.push({ file, line: i + 1, type: 'unsafe-fetch', code: line.trim().substring(0, 80), reason: `HTTP call without error handling` });
         }
     }
     scanPython(lines, content, file, violations) {
@@ -300,4 +306,20 @@ export class PromiseSafetyGate extends Gate {
         }
         return failures;
     }
+    shouldSkipFile(file) {
+        const normalized = file.replace(/\\/g, '/');
+        return (normalized.includes('/examples/') ||
+            /\/commands\/demo(?:-|\/)/.test(`/${normalized}`) ||
+            /\/gates\/(?:promise-safety|deprecated-apis-rules(?:-node|-lang)?)\.ts$/i.test(normalized));
+    }
+    sanitizeLine(line) {
+        // Remove obvious comments and quoted literals to avoid matching detector text/examples.
+        const withoutBlockTail = line.replace(/\/\*.*?\*\//g, '');
+        const withoutSingleComments = withoutBlockTail.replace(/\/\/.*$/, '');
+        const withoutQuoted = withoutSingleComments
+            .replace(/'(?:\\.|[^'\\])*'/g, "''")
+            .replace(/"(?:\\.|[^"\\])*"/g, '""')
+            .replace(/`(?:\\.|[^`\\])*`/g, '``');
+        return withoutQuoted;
+    }
 }

package/dist/gates/runner.js

@@ -187,10 +187,16 @@ export class GateRunner {
                 else {
                     summary['deep-analysis'] = 'PASS';
                 }
+                const isLocalDeepExecution = !deepOptions.apiKey || (deepOptions.provider || '').toLowerCase() === 'local';
+                const deepTier = isLocalDeepExecution
+                    ? (deepOptions.pro ? 'pro' : 'deep')
+                    : 'cloud';
                 deepStats = {
                     enabled: true,
-                    tier: deepOptions.apiKey ? 'cloud' : (deepOptions.pro ? 'pro' : 'deep'),
-                    model: deepOptions.apiKey ? (deepOptions.provider || 'cloud') : (deepOptions.pro ? 'Qwen2.5-Coder-1.5B' : 'Qwen2.5-Coder-0.5B'),
+                    tier: deepTier,
+                    model: isLocalDeepExecution
+                        ? (deepOptions.pro ? 'Qwen2.5-Coder-1.5B' : 'Qwen2.5-Coder-0.5B')
+                        : (deepOptions.modelName || deepOptions.provider || 'cloud'),
                     total_ms: Date.now() - deepSetupStart,
                     findings_count: deepFailures.length,
                     findings_verified: deepFailures.filter((f) => f.verified).length,

package/dist/gates/runner.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/gates/runner.test.js

@@ -0,0 +1,65 @@
+import fs from 'fs-extra';
+import os from 'os';
+import path from 'path';
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { GateRunner } from './runner.js';
+import { DeepAnalysisGate } from './deep-analysis.js';
+describe('GateRunner deep stats execution mode', () => {
+    let testDir;
+    beforeEach(async () => {
+        testDir = await fs.mkdtemp(path.join(os.tmpdir(), 'rigour-runner-deep-'));
+        await fs.writeFile(path.join(testDir, 'index.ts'), 'export const ok = true;\n');
+    });
+    afterEach(async () => {
+        vi.restoreAllMocks();
+        await fs.remove(testDir);
+    });
+    function createRunner() {
+        return new GateRunner({
+            version: 1,
+            commands: {},
+            gates: {
+                max_file_lines: 500,
+                forbid_todos: true,
+                forbid_fixme: true,
+            },
+        });
+    }
+    it('reports local deep tier when provider=local even with apiKey', async () => {
+        vi.spyOn(DeepAnalysisGate.prototype, 'run').mockResolvedValue([]);
+        const runner = createRunner();
+        const report = await runner.run(testDir, undefined, {
+            enabled: true,
+            apiKey: 'sk-test',
+            provider: 'local',
+            pro: false,
+        });
+        expect(report.stats.deep?.tier).toBe('deep');
+        expect(report.stats.deep?.model).toBe('Qwen2.5-Coder-0.5B');
+    });
+    it('reports local pro tier when provider=local and pro=true', async () => {
+        vi.spyOn(DeepAnalysisGate.prototype, 'run').mockResolvedValue([]);
+        const runner = createRunner();
+        const report = await runner.run(testDir, undefined, {
+            enabled: true,
+            apiKey: 'sk-test',
+            provider: 'local',
+            pro: true,
+        });
+        expect(report.stats.deep?.tier).toBe('pro');
+        expect(report.stats.deep?.model).toBe('Qwen2.5-Coder-1.5B');
+    });
+    it('reports cloud tier/model for cloud providers', async () => {
+        vi.spyOn(DeepAnalysisGate.prototype, 'run').mockResolvedValue([]);
+        const runner = createRunner();
+        const report = await runner.run(testDir, undefined, {
+            enabled: true,
+            apiKey: 'sk-test',
+            provider: 'openai',
+            modelName: 'gpt-4.1-mini',
+            pro: false,
+        });
+        expect(report.stats.deep?.tier).toBe('cloud');
+        expect(report.stats.deep?.model).toBe('gpt-4.1-mini');
+    });
+});

package/dist/gates/security-patterns.d.ts

@@ -45,6 +45,7 @@ export declare class SecurityPatternsGate extends Gate {
     constructor(config?: SecurityPatternsConfig);
     protected get provenance(): Provenance;
     run(context: GateContext): Promise<Failure[]>;
+    private shouldSkipSecurityFile;
     private scanFileForVulnerabilities;
 }
 /**

package/dist/gates/security-patterns.js

@@ -24,7 +24,7 @@ const VULNERABILITY_PATTERNS = [
     // SQL Injection
     {
         type: 'sql_injection',
-        regex: /(?:execute|query|raw|exec)\s*\(\s*[`'"].*\$\{.+\}|`\s*\+\s*\w+|\$\{.+\}.*(?:SELECT|INSERT|UPDATE|DELETE|DROP)/gi,
+        regex: /(?:execute|query|raw|exec)\s*\(\s*`[^`]*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|WITH)[^`]*\$\{[^}]+\}[^`]*`/gi,
         severity: 'critical',
         description: 'Potential SQL injection: User input concatenated into SQL query',
         cwe: 'CWE-89',
@@ -32,7 +32,7 @@ const VULNERABILITY_PATTERNS = [
     },
     {
         type: 'sql_injection',
-        regex: /\.query\s*\(\s*['"`].*\+.*\+.*['"`]\s*\)/g,
+        regex: /(?:execute|query|raw|exec)\s*\(\s*['"`][^'"`]*(?:SELECT|INSERT|UPDATE|DELETE|DROP|ALTER|CREATE|WITH)[^'"`]*['"`]\s*\+\s*[^)]+\)/gi,
         severity: 'critical',
         description: 'SQL query built with string concatenation',
         cwe: 'CWE-89',
@@ -117,7 +117,7 @@ const VULNERABILITY_PATTERNS = [
     // Command Injection
     {
         type: 'command_injection',
-        regex: /(?:exec|spawn|execSync|spawnSync)\s*\([^)]*(?:req\.|`.*\$\{)/g,
+        regex: /(?:exec|execSync|spawn|spawnSync)\s*\(\s*(?:`[^`]*\$\{[^}]*(?:req\.|query|params|body|input|user|argv|process\.env)[^}]*\}[^`]*`|[^)]*(?:req\.|query|params|body|input|user|argv|process\.env)[^)]*)\)/g,
         severity: 'critical',
         description: 'Potential command injection: shell execution with user input',
         cwe: 'CWE-78',
@@ -125,7 +125,7 @@ const VULNERABILITY_PATTERNS = [
     },
     {
         type: 'command_injection',
-        regex: /child_process.*\s*\.\s*(?:exec|spawn)\s*\(/g,
+        regex: /child_process.*\s*\.\s*(?:exec|spawn)\s*\([^)]*(?:req\.|query|params|body|input|user|argv|process\.env)/g,
         severity: 'high',
         description: 'child_process usage detected (verify input sanitization)',
         cwe: 'CWE-78',
@@ -254,9 +254,11 @@ export class SecurityPatternsGate extends Gate {
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
             patterns: ['**/*.{ts,js,tsx,jsx,py,java,go}'],
+            ignore: [...(context.ignore || []), '**/node_modules/**', '**/dist/**', '**/build/**', '**/.next/**', '**/coverage/**'],
         });
-        Logger.info(`Security Patterns Gate: Scanning ${files.length} files`);
-        for (const file of files) {
+        const scanFiles = files.filter(file => !this.shouldSkipSecurityFile(file));
+        Logger.info(`Security Patterns Gate: Scanning ${scanFiles.length} files`);
+        for (const file of scanFiles) {
             try {
                 const fullPath = path.join(context.cwd, file);
                 const content = await fs.readFile(fullPath, 'utf-8');
@@ -296,6 +298,20 @@ export class SecurityPatternsGate extends Gate {
         }
         return failures;
     }
+    shouldSkipSecurityFile(file) {
+        const normalized = file.replace(/\\/g, '/');
+        if (/\/(?:examples|studio-dist|dist|build|coverage|target|out)\//.test(`/${normalized}`))
+            return true;
+        if (/\/__tests__\//.test(`/${normalized}`))
+            return true;
+        if (/\/commands\/demo(?:-|\/)/.test(`/${normalized}`))
+            return true;
+        if (/\/gates\/deprecated-apis-rules(?:-node|-lang)?\.ts$/i.test(normalized))
+            return true;
+        if (/\.(test|spec)\.(?:ts|tsx|js|jsx|py|java|go)$/i.test(normalized))
+            return true;
+        return false;
+    }
     scanFileForVulnerabilities(content, file, ext, vulnerabilities) {
         const lines = content.split('\n');
         for (const pattern of VULNERABILITY_PATTERNS) {

package/dist/gates/security-patterns.test.js

@@ -41,6 +41,14 @@ describe('SecurityPatternsGate', () => {
             const vulns = await checkSecurityPatterns(filePath);
             expect(vulns.some(v => v.type === 'sql_injection')).toBe(true);
         });
+        it('should NOT flag non-SQL template interpolation in normal function calls', async () => {
+            const filePath = path.join(testDir, 'status.ts');
+            fs.writeFileSync(filePath, `
+                logger.info(\`Current version: \${current} -> \${latest}\`);
+            `);
+            const vulns = await checkSecurityPatterns(filePath);
+            expect(vulns.some(v => v.type === 'sql_injection')).toBe(false);
+        });
     });
     describe('XSS detection', () => {
         it('should detect innerHTML assignment', async () => {
@@ -129,5 +137,15 @@ describe('SecurityPatternsGate', () => {
             const failures = await gate.run({ cwd: testDir });
             expect(failures).toHaveLength(0); // High severity not blocked
         });
+        it('should skip fixture-style test files for gate-level scans', async () => {
+            const gate = new SecurityPatternsGate({ enabled: true });
+            const fixturePath = path.join(testDir, 'auth.test.ts');
+            fs.writeFileSync(fixturePath, `
+                const password = "supersecretpassword123";
+                eval(req.body.code);
+            `);
+            const failures = await gate.run({ cwd: testDir });
+            expect(failures).toHaveLength(0);
+        });
     });
 });

package/dist/hooks/templates.d.ts

@@ -19,4 +19,4 @@ export interface GeneratedHookFile {
 /**
  * Generate hook config files for a specific tool.
  */
-export declare function generateHookFiles(tool: HookTool, checkerPath: string): GeneratedHookFile[];
+export declare function generateHookFiles(tool: HookTool, checkerCommand: string): GeneratedHookFile[];

package/dist/hooks/templates.js

@@ -12,21 +12,21 @@
 /**
  * Generate hook config files for a specific tool.
  */
-export function generateHookFiles(tool, checkerPath) {
+export function generateHookFiles(tool, checkerCommand) {
     switch (tool) {
         case 'claude':
-            return generateClaudeHooks(checkerPath);
+            return generateClaudeHooks(checkerCommand);
         case 'cursor':
-            return generateCursorHooks(checkerPath);
+            return generateCursorHooks(checkerCommand);
         case 'cline':
-            return generateClineHooks(checkerPath);
+            return generateClineHooks(checkerCommand);
         case 'windsurf':
-            return generateWindsurfHooks(checkerPath);
+            return generateWindsurfHooks(checkerCommand);
         default:
             return [];
     }
 }
-function generateClaudeHooks(checkerPath) {
+function generateClaudeHooks(checkerCommand) {
     const settings = {
         hooks: {
             PostToolUse: [
@@ -35,7 +35,7 @@ function generateClaudeHooks(checkerPath) {
                     hooks: [
                         {
                             type: "command",
-                            command: `node ${checkerPath} --files "$TOOL_INPUT_file_path"`,
+                            command: `${checkerCommand} --files "$TOOL_INPUT_file_path"`,
                         }
                     ]
                 }
@@ -50,13 +50,13 @@ function generateClaudeHooks(checkerPath) {
         },
     ];
 }
-function generateCursorHooks(checkerPath) {
+function generateCursorHooks(checkerCommand) {
     const hooks = {
         version: 1,
         hooks: {
             afterFileEdit: [
                 {
-                    command: `node ${checkerPath} --stdin`,
+                    command: `${checkerCommand} --stdin`,
                 }
             ]
         }
@@ -109,7 +109,7 @@ process.stdin.on('end', async () => {
         },
     ];
 }
-function generateClineHooks(checkerPath) {
+function generateClineHooks(checkerCommand) {
     const script = `#!/usr/bin/env node
 /**
  * Cline PostToolUse hook for Rigour.
@@ -174,13 +174,13 @@ process.stdin.on('end', async () => {
         },
     ];
 }
-function generateWindsurfHooks(checkerPath) {
+function generateWindsurfHooks(checkerCommand) {
     const hooks = {
         version: 1,
         hooks: {
             post_write_code: [
                 {
-                    command: `node ${checkerPath} --stdin`,
+                    command: `${checkerCommand} --stdin`,
                 }
             ]
         }

package/dist/inference/executable.d.ts

@@ -0,0 +1,6 @@
+export interface ExecutableCheckResult {
+    ok: boolean;
+    fixed: boolean;
+}
+export declare function isExecutableBinary(binaryPath: string, platform?: NodeJS.Platform): boolean;
+export declare function ensureExecutableBinary(binaryPath: string, platform?: NodeJS.Platform): ExecutableCheckResult;

package/dist/inference/executable.js

@@ -0,0 +1,29 @@
+import fs from 'fs';
+export function isExecutableBinary(binaryPath, platform = process.platform) {
+    if (platform === 'win32') {
+        return fs.existsSync(binaryPath);
+    }
+    try {
+        fs.accessSync(binaryPath, fs.constants.X_OK);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export function ensureExecutableBinary(binaryPath, platform = process.platform) {
+    if (platform === 'win32') {
+        return { ok: fs.existsSync(binaryPath), fixed: false };
+    }
+    if (isExecutableBinary(binaryPath, platform)) {
+        return { ok: true, fixed: false };
+    }
+    try {
+        fs.chmodSync(binaryPath, 0o755);
+    }
+    catch {
+        return { ok: false, fixed: false };
+    }
+    const ok = isExecutableBinary(binaryPath, platform);
+    return { ok, fixed: ok };
+}

package/dist/inference/executable.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/inference/executable.test.js

@@ -0,0 +1,41 @@
+import fs from 'fs';
+import os from 'os';
+import path from 'path';
+import { afterEach, beforeEach, describe, expect, it } from 'vitest';
+import { ensureExecutableBinary, isExecutableBinary } from './executable.js';
+describe('executable helpers', () => {
+    let testDir;
+    beforeEach(() => {
+        testDir = fs.mkdtempSync(path.join(os.tmpdir(), 'rigour-exec-test-'));
+    });
+    afterEach(() => {
+        fs.rmSync(testDir, { recursive: true, force: true });
+    });
+    it('detects executable files', () => {
+        const binaryPath = path.join(testDir, 'rigour-brain');
+        fs.writeFileSync(binaryPath, '#!/usr/bin/env sh\necho ok\n', 'utf-8');
+        fs.chmodSync(binaryPath, 0o755);
+        expect(isExecutableBinary(binaryPath)).toBe(true);
+    });
+    it('repairs executable bit when missing', () => {
+        const binaryPath = path.join(testDir, 'rigour-brain');
+        fs.writeFileSync(binaryPath, '#!/usr/bin/env sh\necho ok\n', 'utf-8');
+        fs.chmodSync(binaryPath, 0o644);
+        const result = ensureExecutableBinary(binaryPath);
+        if (process.platform === 'win32') {
+            // Windows does not use POSIX executable bits.
+            expect(result.ok).toBe(true);
+            expect(result.fixed).toBe(false);
+            expect(isExecutableBinary(binaryPath)).toBe(true);
+            return;
+        }
+        // Some CI/filesystem setups can deny chmod transitions; in that case
+        // the helper should fail gracefully without throwing.
+        if (!result.ok) {
+            expect(result.fixed).toBe(false);
+            return;
+        }
+        expect(result.fixed).toBe(true);
+        expect(isExecutableBinary(binaryPath)).toBe(true);
+    });
+});

package/dist/inference/model-manager.d.ts

@@ -1,8 +1,10 @@
 import { type ModelTier, type ModelInfo } from './types.js';
+export declare function extractSha256FromEtag(etag: string | null): string | null;
+export declare function hashFileSha256(filePath: string): Promise<string>;
 /**
  * Check if a model is already downloaded and valid.
  */
-export declare function isModelCached(tier: ModelTier): boolean;
+export declare function isModelCached(tier: ModelTier): Promise<boolean>;
 /**
  * Get the path to a cached model.
  */