@rigour-labs/core 5.0.0 → 5.1.0

package/README.md

@@ -28,6 +28,14 @@ The core library powering [Rigour](https://rigour.run) — 27+ quality gates, fi
 
 **Agent Governance:** Multi-agent scope isolation, EWMA-based checkpoint supervision, context drift, retry loop breaker, memory & skills governance with DLP scanning.
 
+### Real-Time Hook Engine
+
+Sub-200ms per-file-write checker with 5 fast gates (governance, hallucinated imports, promise safety, security patterns, file size). Generates native hook configs for Claude Code, Cursor, Cline, and Windsurf.
+
+### AI Agent DLP (Data Loss Prevention)
+
+29 credential patterns with anti-evasion hardening (unicode normalization, zero-width char removal, bidi control stripping, Shannon entropy detection >4.5 bits). Compliance-mapped to SOC2-CC6.1, HIPAA-164.312, PCI-DSS-3.4/3.5/6.5, OWASP-A2, CWE-798.
+
 ### Five-Signal Deep Analysis Pipeline
 
 Rigour's deep analysis is not a wrapper around a generic LLM. The model operates within a cage of deterministic facts:
@@ -46,7 +54,7 @@ Key capabilities: per-provenance EWMA streams (alpha=0.3), Z-score anomaly detec
 
 ### Multi-Language Support
 
-All gates support: TypeScript, JavaScript, Python, Go, Ruby, and C#/.NET.
+Hallucinated import detection supports 8 languages with stdlib whitelists and dependency manifest parsing: TypeScript, JavaScript, Python, Go, Ruby, C#/.NET, Rust, Java, and Kotlin. Core structural gates support all languages via AST analysis.
 
 ### Two-Score System
 

package/dist/gates/agent-team.d.ts

@@ -9,7 +9,6 @@
  * - Task scope violations
  * - Handoff context loss
  *
- * @since v2.14.0
  */
 import { Gate, GateContext } from './base.js';
 import { Failure, Provenance } from '../types/index.js';

package/dist/gates/agent-team.js

@@ -9,7 +9,6 @@
  * - Task scope violations
  * - Handoff context loss
  *
- * @since v2.14.0
  */
 import { Gate } from './base.js';
 import { Logger } from '../utils/logger.js';

package/dist/gates/checkpoint.d.ts

@@ -18,8 +18,6 @@
  * - EWMA: one bad score dampened by history, persistent drops amplified
  * - α=0.3: ~70% weight on history, 30% on new data → noise-resistant
  *
- * @since v2.14.0 (original, linear regression)
- * @since v5.0.0  (EWMA drift detection)
  */
 import { Gate, GateContext } from './base.js';
 import { Failure, Provenance } from '../types/index.js';

package/dist/gates/checkpoint.js

@@ -18,8 +18,6 @@
  * - EWMA: one bad score dampened by history, persistent drops amplified
  * - α=0.3: ~70% weight on history, 30% on new data → noise-resistant
  *
- * @since v2.14.0 (original, linear regression)
- * @since v5.0.0  (EWMA drift detection)
  */
 import { Gate } from './base.js';
 import { Logger } from '../utils/logger.js';

package/dist/gates/context-window-artifacts.d.ts

@@ -13,7 +13,6 @@
  * 4. Error handling becomes sparser toward the bottom
  * 5. Code style inconsistencies emerge (indentation, spacing)
  *
- * @since v2.16.0
  */
 import { Gate, GateContext } from './base.js';
 import { Failure, Provenance } from '../types/index.js';
@@ -31,5 +30,10 @@ export declare class ContextWindowArtifactsGate extends Gate {
     private shouldSkipFile;
     private analyzeFile;
     private measureHalf;
-    private measureFunctionLengths;
+    private measureFunctionLengthsFromAdapter;
+    private countSingleCharVariablesFromAdapter;
+    private getAvgIdentifierLengthFromAdapter;
+    private measureFunctionLengthsLegacy;
+    private countSingleCharVariablesLegacy;
+    private getAvgIdentifierLengthLegacy;
 }

package/dist/gates/context-window-artifacts.js

@@ -13,11 +13,11 @@
  * 4. Error handling becomes sparser toward the bottom
  * 5. Code style inconsistencies emerge (indentation, spacing)
  *
- * @since v2.16.0
  */
 import { Gate } from './base.js';
 import { FileScanner } from '../utils/scanner.js';
 import { Logger } from '../utils/logger.js';
+import { languageAdapters } from './language-adapters/index.js';
 import fs from 'fs-extra';
 import path from 'path';
 export class ContextWindowArtifactsGate extends Gate {
@@ -36,7 +36,7 @@ export class ContextWindowArtifactsGate extends Gate {
         if (!this.config.enabled)
             return [];
         const failures = [];
-        const scanPatterns = context.patterns || ['**/*.{ts,js,tsx,jsx,py}'];
+        const scanPatterns = context.patterns || languageAdapters.getScanPatterns();
         const files = await FileScanner.findFiles({
             cwd: context.cwd,
             patterns: scanPatterns,
@@ -51,7 +51,7 @@ export class ContextWindowArtifactsGate extends Gate {
                 const lines = content.split('\n');
                 if (lines.length < this.config.min_file_lines)
                     continue;
-                const metrics = this.analyzeFile(content, file);
+                const metrics = this.analyzeFile(content, file, path.join(context.cwd, file));
                 if (metrics && metrics.signals.length >= this.config.signals_required &&
                     metrics.degradationScore >= this.config.degradation_threshold) {
                     const signalList = metrics.signals.map(s => `  • ${s}`).join('\n');
@@ -68,13 +68,13 @@ export class ContextWindowArtifactsGate extends Gate {
         return (normalized.includes('/examples/') ||
             normalized.includes('/src/gates/'));
     }
-    analyzeFile(content, file) {
+    analyzeFile(content, file, fullPath) {
         const lines = content.split('\n');
         const midpoint = Math.floor(lines.length / 2);
         const topContent = lines.slice(0, midpoint).join('\n');
         const bottomContent = lines.slice(midpoint).join('\n');
-        const topMetrics = this.measureHalf(topContent);
-        const bottomMetrics = this.measureHalf(bottomContent);
+        const topMetrics = this.measureHalf(topContent, fullPath);
+        const bottomMetrics = this.measureHalf(bottomContent, fullPath);
         const signals = [];
         let degradationScore = 0;
         // Signal 1: Comment density drops (use threshold to avoid tiny-denominator noise)
@@ -136,42 +136,44 @@ export class ContextWindowArtifactsGate extends Gate {
             signals,
         };
     }
-    measureHalf(content) {
+    measureHalf(content, fullPath) {
+        const adapter = languageAdapters.getAdapter(fullPath);
         const lines = content.split('\n');
-        const codeLines = lines.filter(l => l.trim() && !l.trim().startsWith('//') && !l.trim().startsWith('#') && !l.trim().startsWith('*'));
-        // Only count inline comments (//), not JSDoc/block comments (/** ... */ or * ...)
-        // JSDoc tends to cluster at file top, skewing "degradation" unfairly
+        // Strip comments using adapter if available, otherwise fallback
+        const codeWithoutComments = adapter ? adapter.stripComments(content) : content;
+        const codeLines = codeWithoutComments.split('\n').filter(l => l.trim());
+        // Count inline comments (// for C-style, # for Python/Ruby)
+        // Exclude JSDoc/block comments (/** ... */ or * ...) which cluster at top unfairly
         const commentLines = lines.filter(l => {
             const trimmed = l.trim();
             return trimmed.startsWith('//') || trimmed.startsWith('#');
         });
         // Comment density
         const commentDensity = codeLines.length > 0 ? commentLines.length / codeLines.length : 0;
-        // Function lengths
-        const funcLengths = this.measureFunctionLengths(content);
+        // Function lengths using adapter if available
+        const funcLengths = adapter
+            ? this.measureFunctionLengthsFromAdapter(content, adapter)
+            : this.measureFunctionLengthsLegacy(content);
         const avgFunctionLength = funcLengths.length > 0
             ? funcLengths.reduce((a, b) => a + b, 0) / funcLengths.length
             : 0;
-        // Single-char variables (excluding common loop vars i, j, k in for loops)
-        const singleCharMatches = content.match(/\b(?:const|let|var)\s+([a-z])\b/g) || [];
-        const singleCharVarCount = singleCharMatches.length;
-        // Error handling density
-        const tryCount = (content.match(/\btry\s*\{/g) || []).length;
+        // Single-char variables — using naming patterns from adapter if available
+        const singleCharVarCount = adapter
+            ? this.countSingleCharVariablesFromAdapter(adapter, content)
+            : this.countSingleCharVariablesLegacy(content);
+        // Error handling density — use adapter if available
+        const errorHandlers = adapter ? adapter.extractErrorHandlers(content) : [];
+        const totalErrHandling = errorHandlers.length;
         const funcCount = Math.max(1, funcLengths.length);
-        const errorHandlingDensity = tryCount / funcCount;
+        const errorHandlingDensity = totalErrHandling / funcCount;
         // Empty blocks
         const emptyBlockCount = (content.match(/\{\s*\}/g) || []).length;
         // TODO/FIXME/HACK count
         const todoCount = (content.match(/\b(TODO|FIXME|HACK|XXX)\b/gi) || []).length;
-        // Average identifier length
-        const identifiers = content.match(/\b(?:const|let|var|function)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)/g) || [];
-        const identNames = identifiers.map(m => {
-            const parts = m.split(/\s+/);
-            return parts[parts.length - 1];
-        });
-        const avgIdentifierLength = identNames.length > 0
-            ? identNames.reduce((sum, n) => sum + n.length, 0) / identNames.length
-            : 0;
+        // Average identifier length using naming patterns from adapter if available
+        const avgIdentifierLength = adapter
+            ? this.getAvgIdentifierLengthFromAdapter(adapter, content)
+            : this.getAvgIdentifierLengthLegacy(content);
         return {
             commentDensity,
             avgFunctionLength,
@@ -182,18 +184,48 @@ export class ContextWindowArtifactsGate extends Gate {
             avgIdentifierLength,
         };
     }
-    measureFunctionLengths(content) {
+    measureFunctionLengthsFromAdapter(content, adapter) {
+        if (!adapter)
+            return [];
+        const functions = adapter.extractFunctions(content);
+        return functions.map(func => func.endLine - func.startLine + 1);
+    }
+    countSingleCharVariablesFromAdapter(adapter, content) {
+        if (!adapter)
+            return 0;
+        const patterns = adapter.extractNamingPatterns(content);
+        return patterns.filter(p => p.name.length === 1 && p.kind === 'variable').length;
+    }
+    getAvgIdentifierLengthFromAdapter(adapter, content) {
+        if (!adapter)
+            return 0;
+        const patterns = adapter.extractNamingPatterns(content);
+        if (patterns.length === 0)
+            return 0;
+        const totalLength = patterns.reduce((sum, p) => sum + p.name.length, 0);
+        return totalLength / patterns.length;
+    }
+    measureFunctionLengthsLegacy(content) {
         const lines = content.split('\n');
         const lengths = [];
-        const funcStarts = [
+        // Brace-based function patterns (JS/TS, Go, Rust, Java, Kotlin, C#)
+        const bracePatterns = [
             /^(?:export\s+)?(?:async\s+)?function\s+\w+/,
             /^(?:export\s+)?(?:const|let|var)\s+\w+\s*=\s*(?:async\s+)?(?:\([^)]*\)|\w+)\s*=>/,
             /^\s+(?:async\s+)?\w+\s*\([^)]*\)\s*\{/,
+            /^func\s+/, // Go
+            /^\s*(?:pub\s+)?(?:async\s+)?fn\s+/, // Rust
+            /^\s*(?:public|private|protected|internal|static|override)\s+.*\w+\s*\(/, // Java/C#/Kotlin
+        ];
+        // Indent-based function patterns (Python, Ruby)
+        const indentPatterns = [
+            /^\s*(?:async\s+)?def\s+\w+/, // Python/Ruby
         ];
         for (let i = 0; i < lines.length; i++) {
-            for (const pattern of funcStarts) {
+            // Try brace-based languages first
+            let matched = false;
+            for (const pattern of bracePatterns) {
                 if (pattern.test(lines[i])) {
-                    // Count function body length
                     let braceDepth = 0;
                     let started = false;
                     let bodyLines = 0;
@@ -211,6 +243,29 @@ export class ContextWindowArtifactsGate extends Gate {
                         if (started && braceDepth === 0)
                             break;
                     }
+                    if (bodyLines > 0)
+                        lengths.push(bodyLines);
+                    matched = true;
+                    break;
+                }
+            }
+            if (matched)
+                continue;
+            // Try indent-based languages
+            for (const pattern of indentPatterns) {
+                if (pattern.test(lines[i])) {
+                    const indent = lines[i].match(/^(\s*)/)?.[1]?.length || 0;
+                    let bodyLines = 0;
+                    for (let j = i + 1; j < lines.length; j++) {
+                        if (lines[j].trim() === '') {
+                            bodyLines++;
+                            continue;
+                        }
+                        const curIndent = lines[j].match(/^(\s*)/)?.[1]?.length || 0;
+                        if (curIndent <= indent)
+                            break;
+                        bodyLines++;
+                    }
                     if (bodyLines > 0)
                         lengths.push(bodyLines);
                     break;
@@ -219,4 +274,25 @@ export class ContextWindowArtifactsGate extends Gate {
         }
         return lengths;
     }
+    countSingleCharVariablesLegacy(content) {
+        const singleCharPatternsJS = content.match(/\b(?:const|let|var)\s+([a-z])\b/g) || [];
+        const singleCharPatternsPy = content.match(/^\s*([a-z])\s*=/gm) || [];
+        const singleCharPatternsGo = content.match(/\b(\w)\s*:=/g) || [];
+        return singleCharPatternsJS.length + singleCharPatternsPy.length + singleCharPatternsGo.length;
+    }
+    getAvgIdentifierLengthLegacy(content) {
+        const identPatternsJS = content.match(/\b(?:const|let|var|function)\s+([a-zA-Z_$][a-zA-Z0-9_$]*)/g) || [];
+        const identPatternsPy = content.match(/\bdef\s+([a-zA-Z_]\w*)/g) || [];
+        const identPatternsGo = content.match(/\bfunc\s+(?:\([^)]+\)\s+)?([a-zA-Z_]\w*)/g) || [];
+        const identPatternsRs = content.match(/\bfn\s+([a-zA-Z_]\w*)/g) || [];
+        const identPatternsRb = content.match(/\bdef\s+(?:self\.)?([a-zA-Z_]\w*)/g) || [];
+        const allIdents = [...identPatternsJS, ...identPatternsPy, ...identPatternsGo, ...identPatternsRs, ...identPatternsRb];
+        const identNames = allIdents.map(m => {
+            const parts = m.split(/\s+/);
+            return parts[parts.length - 1];
+        });
+        return identNames.length > 0
+            ? identNames.reduce((sum, n) => sum + n.length, 0) / identNames.length
+            : 0;
+    }
 }

package/dist/gates/deep-analysis.d.ts

@@ -24,5 +24,7 @@ export declare class DeepAnalysisGate extends Gate {
     private provider;
     constructor(config: DeepGateConfig);
     protected get provenance(): Provenance;
+    /** Check if a file is a likely entry point (higher analysis priority) */
+    private isEntryPoint;
     run(context: GateContext): Promise<Failure[]>;
 }

package/dist/gates/deep-analysis.js

@@ -13,8 +13,11 @@ import { createProvider } from '../inference/index.js';
 import { extractFacts, factsToPromptString, chunkFacts, buildAnalysisPrompt, buildCrossFilePrompt, verifyFindings } from '../deep/index.js';
 import { checkLocalPatterns } from '../storage/local-memory.js';
 import { Logger } from '../utils/logger.js';
-/** Max files to analyze before truncating (prevents OOM on huge repos) */
-const MAX_ANALYZABLE_FILES = 500;
+import path from 'path';
+/** Default batch size for streaming analysis of large repos.
+ *  Files are processed in batches to avoid OOM on huge repos.
+ *  Optional soft limit via rigour.yml: deep.maxFiles */
+const DEFAULT_BATCH_SIZE = 200;
 /** Setup timeout: 120s for model download, 30s for API connection */
 const SETUP_TIMEOUT_MS = 120_000;
 export class DeepAnalysisGate extends Gate {
@@ -27,6 +30,18 @@ export class DeepAnalysisGate extends Gate {
     get provenance() {
         return 'deep-analysis';
     }
+    /** Check if a file is a likely entry point (higher analysis priority) */
+    isEntryPoint(filePath) {
+        const basename = path.basename(filePath).toLowerCase();
+        const entryNames = [
+            'index.ts', 'index.js', 'index.tsx', 'index.jsx', 'index.mjs',
+            'main.ts', 'main.js', 'main.py', 'main.go', 'main.rs', 'main.java', 'main.kt',
+            'app.ts', 'app.js', 'app.py', 'app.go', 'app.rb',
+            'server.ts', 'server.js', 'server.py', 'server.go',
+            'mod.rs', 'lib.rs',
+        ];
+        return entryNames.includes(basename);
+    }
     async run(context) {
         const { onProgress } = this.config;
         const failures = [];
@@ -53,21 +68,36 @@ export class DeepAnalysisGate extends Gate {
                 onProgress?.('  No analyzable files found. Check ignore patterns and file extensions.');
                 return [];
             }
-            // Cap file count to prevent OOM on huge repos
-            if (allFacts.length > MAX_ANALYZABLE_FILES) {
-                onProgress?.(`  ⚠ Found ${allFacts.length} files, capping at ${MAX_ANALYZABLE_FILES} (largest files prioritized).`);
-                // Sort by line count descending — analyze the biggest files first
-                allFacts.sort((a, b) => b.lineCount - a.lineCount);
-                allFacts = allFacts.slice(0, MAX_ANALYZABLE_FILES);
+            // Smart prioritization: entry points first, then by complexity
+            allFacts.sort((a, b) => {
+                const aEntry = this.isEntryPoint(a.path) ? 1 : 0;
+                const bEntry = this.isEntryPoint(b.path) ? 1 : 0;
+                if (aEntry !== bEntry)
+                    return bEntry - aEntry;
+                return b.lineCount - a.lineCount;
+            });
+            // Optional soft limit — if user configures deep.maxFiles, respect it
+            // Otherwise process ALL files in batches (no hard cap)
+            if (this.config.options.maxFiles && allFacts.length > this.config.options.maxFiles) {
+                onProgress?.(`  Limiting to ${this.config.options.maxFiles} files (configured in rigour.yml).`);
+                allFacts = allFacts.slice(0, this.config.options.maxFiles);
             }
             const agentCount = this.config.options.agents || 1;
             const isCloud = !!this.config.options.apiKey;
             onProgress?.(`  Found ${allFacts.length} files to analyze${agentCount > 1 ? ` with ${agentCount} parallel agents` : ''}.`);
             // Step 1.5: Check local project memory for known patterns (instant, no LLM)
+            // Wrapped in try/catch: sqlite3 may not be available in all environments
             const fileList = allFacts.map(f => f.path).filter(Boolean);
-            const localFindings = checkLocalPatterns(context.cwd, fileList);
-            if (localFindings.length > 0) {
-                onProgress?.(`  🧠 Local memory: ${localFindings.length} known pattern(s) matched instantly.`);
+            let localFindings = [];
+            try {
+                localFindings = await checkLocalPatterns(context.cwd, fileList);
+                if (localFindings.length > 0) {
+                    onProgress?.(`  🧠 Local memory: ${localFindings.length} known pattern(s) matched instantly.`);
+                }
+            }
+            catch (error) {
+                Logger.debug(`Local memory check skipped (${error.message?.substring(0, 80)})`);
+                onProgress?.('  ℹ Local memory unavailable — continuing with LLM analysis only.');
             }
             // Step 2: LLM interprets facts (in chunks)
             const chunks = chunkFacts(allFacts);

package/dist/gates/dependency.d.ts

@@ -12,8 +12,6 @@
  * - Using heavy/popular packages when lighter alternatives exist
  * - Installing multiple HTTP clients, date libs, etc. across different sessions
  *
- * @since v2.0.0 (forbidden deps)
- * @since v5.1.0 (unused, heavy alternatives, duplicate purpose)
  */
 import { Failure, Config } from '../types/index.js';
 import { Gate, GateContext } from './base.js';

package/dist/gates/dependency.js

@@ -12,8 +12,6 @@
  * - Using heavy/popular packages when lighter alternatives exist
  * - Installing multiple HTTP clients, date libs, etc. across different sessions
  *
- * @since v2.0.0 (forbidden deps)
- * @since v5.1.0 (unused, heavy alternatives, duplicate purpose)
  */
 import fs from 'fs-extra';
 import path from 'path';
@@ -29,7 +27,7 @@ const HEAVY_ALTERNATIVES = {
     'lodash': 'lodash-es (tree-shakeable) or native Array/Object methods',
     'underscore': 'native ES6+ methods (Array.map, Object.entries, etc.)',
     'axios': 'native fetch API (built into Node 18+)',
-    'request': 'node-fetch or native fetch (deprecated since 2020)',
+    'request': 'got, undici, or native fetch (request deprecated since 2020)',
     'bluebird': 'native Promise (built-in since ES2015)',
     'jquery': 'native DOM APIs (querySelector, fetch, classList)',
     'classnames': 'clsx (0.3KB vs 1KB) or template literals',
@@ -38,6 +36,24 @@ const HEAVY_ALTERNATIVES = {
     'is-even': 'n % 2 === 0 (one-liner)',
     'is-odd': 'n % 2 !== 0 (one-liner)',
     'chalk': 'picocolors (14x smaller, faster)',
+    'colors': 'picocolors (colors has had supply chain attacks)',
+    'node-fetch': 'native fetch API (built into Node 18+)',
+    'cross-fetch': 'native fetch API (built into Node 18+)',
+    'isomorphic-fetch': 'native fetch API (built into Node 18+)',
+    'whatwg-fetch': 'native fetch API (built into Node 18+)',
+    'faker': '@faker-js/faker (faker was hijacked in supply chain attack)',
+    'glob': 'fast-glob or fs.glob (built into Node 22+)',
+    'rimraf': 'fs.rm with { recursive: true } (built into Node 14+)',
+    'mkdirp': 'fs.mkdir with { recursive: true } (built into Node 10+)',
+    'ncp': 'fs.cp with { recursive: true } (built into Node 16+)',
+    'node-uuid': 'crypto.randomUUID() (node-uuid is unmaintained)',
+    'q': 'native Promise (Q is legacy)',
+    'async': 'native Promise.all/allSettled/race (async lib is legacy)',
+    'superagent': 'native fetch API (built into Node 18+)',
+    'path-exists': 'fs.existsSync() or fs.access() (one-liner)',
+    'path-is-absolute': 'path.isAbsolute() (built-in)',
+    'string-width': 'Intl.Segmenter for grapheme-aware measurement',
+    'strip-ansi': 'picocolors includes strip (or regex one-liner)',
 };
 /**
  * Functional groups — if >1 package from same group is installed,
@@ -156,10 +172,12 @@ export class DependencyGate extends Gate {
      */
     async detectUnusedDeps(context, pkg, depNames, allowlist) {
         const failures = [];
-        // Only check production + dev dependencies (not peer)
+        // Check production + dev dependencies. Peer deps and optional deps are valid — skip them.
         const prodDeps = Object.keys(pkg.dependencies || {});
         const devDeps = Object.keys(pkg.devDependencies || {});
-        const checkDeps = [...prodDeps, ...devDeps];
+        const peerDeps = new Set(Object.keys(pkg.peerDependencies || {}));
+        const optionalDeps = new Set(Object.keys(pkg.optionalDependencies || {}));
+        const checkDeps = [...prodDeps, ...devDeps].filter(d => !peerDeps.has(d) && !optionalDeps.has(d));
         if (checkDeps.length === 0)
             return [];
         // Default allowlist patterns for known side-effect packages

package/dist/gates/deprecated-apis.d.ts

@@ -17,8 +17,6 @@
  *   C#     — Deprecated .NET APIs (WebClient, BinaryFormatter, etc.)
  *   Java   — Deprecated JDK APIs (Date, Vector, Hashtable, etc.)
  *
- * @since v3.0.0
- * @since v3.0.3 — Go, C#, Java deprecated API detection added
  */
 import { Gate, GateContext } from './base.js';
 import { Failure, Provenance } from '../types/index.js';

package/dist/gates/deprecated-apis.js

@@ -17,12 +17,11 @@
  *   C#     — Deprecated .NET APIs (WebClient, BinaryFormatter, etc.)
  *   Java   — Deprecated JDK APIs (Date, Vector, Hashtable, etc.)
  *
- * @since v3.0.0
- * @since v3.0.3 — Go, C#, Java deprecated API detection added
  */
 import { Gate } from './base.js';
 import { FileScanner } from '../utils/scanner.js';
 import { Logger } from '../utils/logger.js';
+import { languageAdapters } from './language-adapters/index.js';
 import fs from 'fs-extra';
 import path from 'path';
 import { NODE_DEPRECATED_RULES, WEB_DEPRECATED_RULES, PYTHON_DEPRECATED_RULES, GO_DEPRECATED_RULES, CSHARP_DEPRECATED_RULES, JAVA_DEPRECATED_RULES } from './deprecated-apis-rules.js';
@@ -65,24 +64,38 @@ export class DeprecatedApisGate extends Gate {
             try {
                 const fullPath = path.join(context.cwd, file);
                 const content = await fs.readFile(fullPath, 'utf-8');
-                const ext = path.extname(file);
-                if (['.ts', '.js', '.tsx', '.jsx'].includes(ext)) {
-                    if (this.config.check_node)
-                        this.checkNodeDeprecated(content, file, deprecated);
-                    if (this.config.check_web)
-                        this.checkWebDeprecated(content, file, deprecated);
-                }
-                else if (ext === '.py' && this.config.check_python) {
-                    this.checkPythonDeprecated(content, file, deprecated);
-                }
-                else if (ext === '.go' && this.config.check_go) {
-                    this.checkGoDeprecated(content, file, deprecated);
-                }
-                else if (ext === '.cs' && this.config.check_csharp) {
-                    this.checkCSharpDeprecated(content, file, deprecated);
-                }
-                else if ((ext === '.java' || ext === '.kt') && this.config.check_java) {
-                    this.checkJavaDeprecated(content, file, deprecated);
+                const adapter = languageAdapters.getAdapter(file);
+                if (!adapter)
+                    continue;
+                /** Map adapter IDs to config flags */
+                const configCheck = {
+                    js: this.config.check_node,
+                    python: this.config.check_python,
+                    go: this.config.check_go,
+                    csharp: this.config.check_csharp,
+                    java: this.config.check_java,
+                };
+                if (configCheck[adapter.id] === false)
+                    continue;
+                switch (adapter.id) {
+                    case 'js':
+                        if (this.config.check_node)
+                            this.checkNodeDeprecated(content, file, deprecated);
+                        if (this.config.check_web)
+                            this.checkWebDeprecated(content, file, deprecated);
+                        break;
+                    case 'python':
+                        this.checkPythonDeprecated(content, file, deprecated);
+                        break;
+                    case 'go':
+                        this.checkGoDeprecated(content, file, deprecated);
+                        break;
+                    case 'csharp':
+                        this.checkCSharpDeprecated(content, file, deprecated);
+                        break;
+                    case 'java':
+                        this.checkJavaDeprecated(content, file, deprecated);
+                        break;
                 }
             }
             catch { /* skip */ }

package/dist/gates/duplication-drift/index.d.ts

@@ -0,0 +1,61 @@
+/**
+ * Duplication Drift Gate (v2)
+ *
+ * Detects when AI generates near-identical functions across files because
+ * it doesn't remember what it already wrote. This is an AI-specific failure
+ * mode — humans reuse via copy-paste (same file), AI re-invents (cross-file).
+ *
+ * v2 upgrades:
+ * - tree-sitter AST node type sequences replace hand-rolled regex tokenizer
+ * - Jaccard similarity on AST node multisets (structural, not textual)
+ * - Catches duplicates even when every variable name is different
+ * - MD5 kept as fast-path for exact matches, Jaccard runs on remaining pairs
+ *
+ * Detection strategy (three-pass):
+ * 1. Extract function bodies, normalize text (strip comments/whitespace)
+ * 2. Parse with tree-sitter → walk AST → collect node type multiset
+ * 3. Generate semantic embeddings via all-MiniLM-L6-v2 (384D)
+ * 4. Pass 1 (fast):     MD5 hash → exact duplicates (O(n), <10ms)
+ * 5. Pass 2 (Jaccard):  AST node multiset similarity → structural near-duplicates (O(n²) bounded)
+ * 6. Pass 3 (semantic):  Embedding cosine similarity → semantic duplicates (O(n²) bounded)
+ * 7. Flag functions with similarity > threshold in different files
+ *
+ * Why AST node types > raw tokens:
+ * - `getUserById(id) { return db.find(x => x.id === id) }`
+ * - `fetchUser(userId) { return database.filter(u => u.id === userId)[0] }`
+ * Both produce similar AST: [return_statement, call_expression, arrow_function,
+ *   binary_expression, member_expression]. Variable names are invisible.
+ */
+import { Gate, GateContext } from '../base.js';
+import { Failure, Provenance } from '../../types/index.js';
+import { FunctionSignature } from './similarity.js';
+export interface DuplicationDriftConfig {
+    enabled?: boolean;
+    similarity_threshold?: number;
+    semantic_threshold?: number;
+    semantic_enabled?: boolean;
+    min_body_lines?: number;
+    approved_duplications?: string[];
+}
+export type { FunctionSignature };
+export declare class DuplicationDriftGate extends Gate {
+    private config;
+    private parser;
+    constructor(config?: DuplicationDriftConfig);
+    protected get provenance(): Provenance;
+    run(context: GateContext): Promise<Failure[]>;
+    /**
+     * Parse the file with tree-sitter, find function nodes that match
+     * our extracted functions (by line number), and replace their token
+     * multisets with AST node type sequences.
+     */
+    private enrichWithASTTokens;
+    private extractJSFunctions;
+    private extractPyFunctions;
+    /**
+     * Enrich functions with semantic embeddings for Pass 3.
+     * Only called for functions not already claimed by Pass 1/2.
+     * Uses generateEmbedding() from pattern-index/embeddings.ts.
+     */
+    private enrichWithEmbeddings;
+}