@stupify/cli 0.0.1 → 0.0.3

package/src/prompts.ts

@@ -0,0 +1,234 @@
+import type {
+  AuditPromptName,
+  CandidateContext,
+  DiffBatch,
+  SemChangeSet,
+  SemContext,
+  SemContextPack,
+  StupifyCheck,
+} from "./types.ts";
+
+export function scoutPrompt(batch: DiffBatch, checks: readonly StupifyCheck[], sourceLabel: string): string {
+  return `Pick diff hunks that match enabled checks.
+Return JSON only:
+{ "candidates": ["exact POINTER"] }
+
+Rules:
+- Use POINTER values exactly as shown.
+- Return at most 3 candidates.
+- Return { "candidates": [] } if clean.
+- Pick definitions over usage sites.
+
+${formatCompactChecks(checks)}
+
+SOURCE:
+${sourceLabel}
+
+DIFF BATCH ${batch.id}:
+${batch.text}`;
+}
+
+export function auditPrompt(
+  contexts: readonly CandidateContext[],
+  checks: readonly StupifyCheck[],
+  sourceLabel: string,
+): string {
+  return `Audit candidate diff regions against enabled checks.
+Return JSON only:
+{
+  "findings": [{ "checkId": "check_id", "why": "one sentence", "proof": "exact POINTER" }],
+  "summary": "one short sentence"
+}
+
+Rules:
+- Use only checks listed below.
+- checkId must be a check ID, never a POINTER.
+- proof must be one exact POINTER from candidate regions.
+- why describes the suspicious structure, not an identifier.
+- Do not describe an issue in summary unless it is also in findings.
+- If no findings, return { "findings": [], "summary": "No clear judgment-offload signal found." }.
+
+Allowed proof pointers:
+${contexts.map((context) => `- ${context.pointer}`).join("\n")}
+
+${formatFullChecks(checks)}
+
+SOURCE:
+${sourceLabel}
+
+CANDIDATE REGIONS:
+${contexts.map(formatContext).join("\n\n")}`;
+}
+
+export function semScoutPrompt(
+  changeSet: SemChangeSet,
+  checks: readonly StupifyCheck[],
+  maxCandidates: number,
+): string {
+  return `Pick changed entity/check targets worth auditing.
+Return JSON only:
+{ "targets": [{ "entityId": "exact entityId", "checkId": "check_id", "reason": "short scout reason" }] }
+
+Rules:
+- Use entityId values exactly as shown.
+- Each target has exactly one checkId.
+- Return at most ${maxCandidates} targets.
+- Return { "targets": [] } if clean.
+- Pick definitions over usage sites.
+- Prefer high recall, but do not attach unrelated checks.
+
+${formatCompactChecks(checks)}
+
+SOURCE:
+${changeSet.label}
+
+SEM CHANGE SUMMARY:
+${JSON.stringify(changeSet.summary, null, 2)}
+
+SEM ENTITY CHANGES:
+${changeSet.changes.map(formatSemChange).join("\n\n")}`;
+}
+
+export function findingsAuditPrompt(
+  contexts: readonly SemContext[],
+  pack: SemContextPack,
+  checks: readonly StupifyCheck[],
+  sourceLabel: string,
+  promptName: AuditPromptName,
+): string {
+  const task =
+    promptName === "high_bar"
+      ? `You are Stupify's audit model.
+You are reviewing candidate/check targets for signs that AI-assisted coding may have replaced engineering judgment.
+Only emit a finding if it is clearly useful to a developer.
+A useful finding must:
+- match the target's check exactly
+- point to a concrete change pattern
+- explain why the change may reflect judgment-offload
+- avoid generic code-review commentary
+If the target is normal engineering work, omit it.
+If the target is merely plausible but not strong, omit it.
+If the target does not exactly match its assigned check, omit it.`
+      : `You are Stupify's auditor.
+Audit only the listed target/check pairs.
+Emit only exceptions.`;
+
+  const highBarRules =
+    promptName === "high_bar"
+      ? `- Prefer clean over weak.
+- Prefer no finding over generic finding.
+- Do not emit style feedback unless the assigned check is truly about style.
+- Do not turn functional refactors into style mismatch findings.`
+      : "";
+
+  return `${task}
+Return JSON only:
+{
+  "findings": [
+    {
+      "targetId": "t001",
+      "why": "one sentence",
+      "proof": "short pointer"
+    }
+  ],
+  "uncertain": [
+    {
+      "targetId": "t002",
+      "why": "one sentence"
+    }
+  ]
+}
+
+Rules:
+- Inspect every target.
+- Each target has exactly one check.
+- Emit a finding only when the target clearly matches its check.
+- Emit uncertain only when the target may match, but evidence is insufficient.
+- If a target is clean, emit nothing for it.
+- Omitted target means clean.
+- Do not output clean reviews.
+- Do not explain clean targets.
+- Do not write "no evidence" as a finding.
+- Do not put negative statements in findings.
+- Prefer omission over weak findings.
+- Use only provided targetIds.
+- Do not search for other checks.
+- Do not quote source code.
+- Use packed file context only as supporting evidence for these candidate entities.
+${highBarRules}
+
+Targets:
+${contexts.map((context) => formatAuditTarget(context, checks)).join("\n\n")}
+
+SOURCE:
+${sourceLabel}
+
+CANDIDATE ENTITY DELTAS:
+${contexts.map(formatSemContext).join("\n\n")}
+
+PACKED FILE CONTEXT (${pack.provider}, ${pack.filePaths.length} files, ${pack.totalTokens} tokens):
+${pack.text || "(none)"}`;
+}
+
+function formatCompactChecks(checks: readonly StupifyCheck[]): string {
+  return `Checks:
+${checks.map((check) => `- ${check.id}: ${check.lookFor.join("; ")}`).join("\n")}`;
+}
+
+function formatFullChecks(checks: readonly StupifyCheck[]): string {
+  return checks.map(formatCheck).join("\n\n");
+}
+
+function formatCheck(check: StupifyCheck): string {
+  return `# ${check.name}
+ID: ${check.id}
+Q: ${check.question}
+Look for:
+${check.lookFor.map((signal) => `- ${signal}`).join("\n")}
+Ignore when:
+${check.ignoreWhen.map((signal) => `- ${signal}`).join("\n")}
+Match examples:
+${(check.examples?.match ?? []).map((example) => `- ${example}`).join("\n")}
+No-match examples:
+${(check.examples?.noMatch ?? []).map((example) => `- ${example}`).join("\n")}`;
+}
+
+function formatContext(context: CandidateContext): string {
+  return `POINTER ${context.pointer}
+${context.text}`;
+}
+
+function formatSemChange(change: SemChangeSet["changes"][number]): string {
+  return `ENTITY ${change.entityId}
+TYPE ${change.entityType}
+CHANGE ${change.changeType}
+PATH ${change.filePath}`;
+}
+
+function formatSemContext(context: SemContext): string {
+  return `TARGET ${context.targetId}
+ENTITY ${context.entityId}
+NAME ${context.entityName}
+KIND ${context.entityKind}
+CHANGE ${context.changeKind}
+CHECK ${context.checkId}
+SCOUT_REASON ${context.reason}
+CONTEXT:
+${context.text}`;
+}
+
+function formatAuditTarget(context: SemContext, checks: readonly StupifyCheck[]): string {
+  const check = checks.find((item) => item.id === context.checkId);
+  return `- targetId=${context.targetId} checkId=${context.checkId} entityId=${context.entityId}
+scoutReason=${context.reason}
+${check ? formatCheck(check) : ""}`;
+}
+
+function shortenCode(value: string | null): string {
+  if (!value) return "(none)";
+  const lines = value.split(/\r?\n/);
+  const limit = 80;
+  if (lines.length <= limit) return value;
+  return `${lines.slice(0, limit).join("\n")}
+[stupify: sem entity content shortened after ${limit} lines]`;
+}

package/src/render.ts

@@ -0,0 +1,107 @@
+import { VERSION } from "./constants.ts";
+import type { AnalysisReport, AnalyzeCommand } from "./types.ts";
+
+export function renderReport(report: AnalysisReport, command: AnalyzeCommand): string {
+  if (command.json) {
+    return JSON.stringify({
+      schemaVersion: "0.4",
+      model: { id: report.run.modelId },
+      checks: report.run.checkIds,
+      run: report.run,
+      findings: report.result.findings,
+      summary: report.result.summary,
+    }, null, 2);
+  }
+
+  if (report.run.engine === "sem") {
+    return `Search:
+  ${report.run.entitiesScanned} entities scanned
+  ${report.run.candidateCount} candidate entities found
+Audit:
+  ${report.run.auditedCandidateCount} candidates inspected
+  ${report.result.findings.length} findings
+${renderAuditStats(report)}
+${renderWarnings(report)}
+Findings:
+${renderFindings(report)}
+Timing:
+  total_ms=${report.run.timingsMs.total} entity_diff_ms=${report.run.timingsMs.diff} model_ms=${report.run.timingsMs.modelLoad} scout_ms=${report.run.timingsMs.search} context_audit_ms=${report.run.timingsMs.audit}`;
+  }
+
+  return `Search:
+  ${report.run.batchesScanned} batches scanned
+  ${report.run.candidateCount} candidate regions found
+Audit:
+  ${report.run.auditedCandidateCount} candidates inspected
+  ${report.result.findings.length} findings
+${renderWarnings(report)}
+Findings:
+${renderFindings(report)}
+Timing:
+  total_ms=${report.run.timingsMs.total} diff_ms=${report.run.timingsMs.diff} model_ms=${report.run.timingsMs.modelLoad} search_ms=${report.run.timingsMs.search} audit_ms=${report.run.timingsMs.audit}`;
+}
+
+export function helpText(): string {
+  return `Stupify ${VERSION}
+
+Usage:
+  stupify
+  stupify --since "2 weeks ago"
+  stupify --commit <commit>
+  stupify --commits <count>
+  stupify experiment <config.json>
+  git diff HEAD~1..HEAD | stupify --stdin
+
+Options:
+  --since <date>        Analyze the net diff from the first commit before this git date to HEAD.
+  --commit <commit>     Analyze one commit as a net diff.
+  --commits <count>     Analyze the net diff across the last N non-merge commits.
+  --stdin               Read a git diff from stdin.
+  --engine <engine>     raw-diff or sem. Default: raw-diff.
+  --scout <mode>        llm or counter for --engine sem. Default: counter.
+  --audit-context <mode>
+                         none or repomix for --engine sem. Default: repomix.
+  --audit-prompt <name> strict or high_bar for --engine sem. Default: high_bar.
+  --debug-sem           Print sem commands and stderr.
+  --debug-targets       Include audited sem target details in JSON output.
+  --max-candidates <n>  Max semantic candidates for --engine sem. Default: 10.
+  --audit-batch-size <n>
+                         Semantic candidates per audit model call. Default: 25.
+  --max-audit-input-tokens <n>
+                         Max findings-audit input tokens before splitting. Default: 20000.
+  --audit-concurrency <n>
+                         Parallel findings-audit model calls. Default: 2.
+  --checks <ids>        Comma-separated check ids.
+  --model <id>          gemma-4-e2b, gemma-4-e4b, gemma-4-26b-a4b, qwen3-4b-magicquant, qwen2.5-coder-1.5b, qwen2.5-coder-7b, or qwen2.5-coder-32b.
+  --json                Print JSON only.
+
+Default:
+  stupify is equivalent to stupify --since "2 weeks ago".
+
+Not included:
+  Baselines, sharing, hosted server calls, Ollama, GitHub, dashboards, or repo-wide scanning.
+`;
+}
+
+function renderFindings(report: AnalysisReport): string {
+  if (report.result.findings.length === 0) return "  None.";
+
+  return report.result.findings
+    .map((finding) => `- ${finding.checkId}
+  ${finding.why}
+  Proof: ${finding.proof}`)
+    .join("\n");
+}
+
+function renderWarnings(report: AnalysisReport): string {
+  if (report.run.warnings.length === 0) return "";
+  return `Warnings:
+${report.run.warnings.map((warning) => `  ${warning}`).join("\n")}
+`;
+}
+
+function renderAuditStats(report: AnalysisReport): string {
+  const stats = report.run.auditStats;
+  if (!stats) return "";
+  return `  ${stats.totalTargets} targets reviewed: ${stats.finding} finding, ${stats.uncertain} uncertain, ${stats.clean} clean, ${stats.invalid} invalid`;
+}

package/src/repomix-provider.ts

@@ -0,0 +1,163 @@
+import { mkdtemp, readFile, rm, stat } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import path from "node:path";
+import { pack, setLogLevel } from "repomix";
+import type { SemCandidate, SemChange, SemContext, SemContextPack } from "./types.ts";
+
+const MAX_PACK_FILE_SIZE_BYTES = 48 * 1024;
+const MAX_PACK_TOTAL_SIZE_BYTES = 128 * 1024;
+
+export function emptyContextPack(): SemContextPack {
+  return {
+    provider: "repomix",
+    filePaths: [],
+    totalCharacters: 0,
+    totalTokens: 0,
+    text: "",
+  };
+}
+
+export async function repomixContextPack(
+  cwd: string,
+  contexts: readonly SemContext[],
+  changes: readonly SemChange[],
+): Promise<SemContextPack> {
+  const filePaths = await candidateFilePaths(cwd, contexts, changes);
+  if (filePaths.length === 0) {
+    return emptyContextPack();
+  }
+
+  setLogLevel(-1);
+  const tempDir = await mkdtemp(path.join(tmpdir(), "stupify-repomix-"));
+  const outputPath = path.join(tempDir, "context.xml");
+  try {
+    const result = await pack(
+      [cwd],
+      {
+        cwd,
+        input: { maxFileSize: MAX_PACK_FILE_SIZE_BYTES },
+        output: {
+          filePath: outputPath,
+          style: "xml",
+          parsableStyle: false,
+          fileSummary: false,
+          directoryStructure: false,
+          files: true,
+          removeComments: false,
+          removeEmptyLines: true,
+          compress: true,
+          topFilesLength: 0,
+          showLineNumbers: true,
+          truncateBase64: true,
+          copyToClipboard: false,
+          includeFullDirectoryStructure: false,
+          tokenCountTree: false,
+          git: {
+            sortByChanges: false,
+            sortByChangesMaxCommits: 1,
+            includeDiffs: false,
+            includeLogs: false,
+            includeLogsCount: 1,
+          },
+        },
+        include: [],
+        ignore: {
+          useGitignore: true,
+          useDotIgnore: true,
+          useDefaultPatterns: true,
+          customPatterns: [],
+        },
+        security: { enableSecurityCheck: false },
+        tokenCount: { encoding: "o200k_base" },
+      } satisfies Parameters<typeof pack>[1],
+      () => undefined,
+      {},
+      [...filePaths],
+    );
+    return {
+      provider: "repomix",
+      filePaths,
+      totalCharacters: result.totalCharacters,
+      totalTokens: result.totalTokens,
+      text: await readFile(outputPath, "utf8"),
+    };
+  } finally {
+    await rm(tempDir, { recursive: true, force: true });
+  }
+}
+
+export function entityContextsFromChanges(
+  candidates: readonly SemCandidate[],
+  changes: readonly SemChange[],
+): readonly SemContext[] {
+  const byEntityId = new Map(changes.map((change) => [change.entityId, change]));
+  return candidates.flatMap((candidate): readonly SemContext[] => {
+    const change = byEntityId.get(candidate.entityId);
+    if (!change) return [];
+    return [{
+      targetId: candidate.targetId,
+      entityId: change.entityId,
+      entityName: change.entityName,
+      entityKind: change.entityType,
+      changeKind: change.changeType,
+      checkId: candidate.checkId,
+      reason: candidate.reason,
+      filePath: change.filePath,
+      text: JSON.stringify({
+        source: "sem diff",
+        file: change.filePath,
+        type: change.entityType,
+        name: change.entityName,
+        change: change.changeType,
+        before: shortenCode(change.beforeContent),
+        after: shortenCode(change.afterContent),
+      }, null, 2),
+    }];
+  });
+}
+
+async function candidateFilePaths(
+  cwd: string,
+  contexts: readonly SemContext[],
+  changes: readonly SemChange[],
+): Promise<readonly string[]> {
+  const byEntityId = new Map(changes.map((change) => [change.entityId, change.filePath]));
+  const paths = contexts.flatMap((context) => context.filePath ?? byEntityId.get(context.entityId) ?? []);
+  const safePaths = [...new Set(paths)].filter(isSafeRelativeFilePath);
+  const selected = [];
+  let totalBytes = 0;
+  for (const filePath of safePaths) {
+    const bytes = await fileSize(cwd, filePath);
+    if (bytes === null || bytes > MAX_PACK_FILE_SIZE_BYTES) continue;
+    if (totalBytes + bytes > MAX_PACK_TOTAL_SIZE_BYTES) continue;
+    totalBytes += bytes;
+    selected.push(filePath);
+  }
+  return selected;
+}
+
+function isSafeRelativeFilePath(value: string): boolean {
+  if (!value || path.isAbsolute(value)) return false;
+  const normalized = path.normalize(value);
+  return normalized !== "." && !normalized.startsWith("..") && !path.isAbsolute(normalized);
+}
+
+async function fileSize(cwd: string, filePath: string): Promise<number | null> {
+  try {
+    const fullPath = path.join(cwd, filePath);
+    if (!fullPath.startsWith(`${cwd}${path.sep}`)) return null;
+    const result = await stat(fullPath);
+    return result.isFile() ? result.size : null;
+  } catch {
+    return null;
+  }
+}
+
+function shortenCode(value: string | null): string {
+  if (!value) return "(none)";
+  const lines = value.split(/\r?\n/);
+  const limit = 120;
+  if (lines.length <= limit) return value;
+  return `${lines.slice(0, limit).join("\n")}
+[stupify: sem entity content shortened after ${limit} lines]`;
+}