agent-gov-core 0.3.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Conal Hg
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,92 @@
+# agent-gov-core
+
+[![npm](https://img.shields.io/npm/v/agent-gov-core)](https://www.npmjs.com/package/agent-gov-core)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+Shared primitives for the AI-agent governance suite — a small library that ScopeTrail, PolicyMesh, CapabilityEcho, TaskBound, and SessionTrail all consume so common parsers, locators, and the `Finding` schema live in one place instead of five.
+
+Zero runtime dependencies. ESM, TypeScript, target ES2022.
+
+## Install
+
+```sh
+npm install agent-gov-core
+```
+
+## The canonical Finding
+
+Every tool in the suite emits findings against the same schema. The `kind` field is a namespaced string `<tool>.<slug>` so a downstream meta-reviewer can dedupe across tools.
+
+```ts
+import { kind, type Finding } from 'agent-gov-core';
+
+const finding: Finding = {
+  tool: 'scope_trail',
+  kind: kind('scope_trail', 'permission_allow_widened'),
+  severity: 'high',
+  message: 'Claude permission allowlist now includes Bash(npm *).',
+  location: { file: '.claude/settings.json', line: 12 },
+};
+```
+
+The JSON schema at [`schemas/finding.schema.json`](./schemas/finding.schema.json) enforces the dotted-kind shape — any tool emitting unprefixed kinds will fail validation.
+
+## What's in the library
+
+### Finding schema and helpers
+- `Finding`, `Severity`, `ToolKind`, `FindingLocation` — canonical types
+- `SEVERITIES`, `TOOL_KINDS` — runtime arrays of the enum values
+- `isSeverity(v)`, `isToolKind(v)`, `isNamespacedKind(v)` — type guards
+- `kind(tool, name)` — build a namespaced kind without hand-assembling the dotted string
+- `createFinding({tool, name, severity, message, ...})` — convenience constructor that calls `kind()` and `fingerprintFinding()` for you
+- `fingerprintFinding(finding)` — 16-character hex hash of `(kind, file, line, column)`. Stable across runs and message rewordings, so a meta-reviewer can dedupe
+- `validateFinding(value)` — runtime check against `schemas/finding.schema.json`, returns `{ ok, errors[] }`
+
+### Config readers
+- `readJsonObjectWithSource(path)` — JSONC reader, string-aware comment + trailing-comma stripping, position-preserving
+- `stripJsonComments(text)` — same logic exposed for in-memory text
+- `readTomlObject(path)` — TOML reader (sections, arrays of tables, inline tables, multi-line strings, dotted/quoted keys)
+- `parseToml(text)` — same exposed for text
+
+### Line locators
+- `lineOfJsonKey(text, key)` — 1-based line of `"key":`
+- `lineOfJsonStringValue(text, value, scope?)` — 1-based line of a JSON-encoded value, optionally scoped to a byte range
+- `lineOfTomlKey(text, dottedKey)` — 1-based line of a TOML key
+
+### MCP command normalization
+- `normalizeMcpCommand({ command, args, url, serverUrl, env, cwd })` — canonical identity string for an MCP server entry. Drops neutral flags (`-y`, `--yes`), resolves npx/uvx invocations, includes env+cwd in the identity. Used to dedupe `mcp_command_mismatch` false positives when servers are equivalent but syntactically different (`npx -y foo@1.2.3` vs `npx foo@1.2.3`).
+
+### Shell tokenization
+- `tokenizeShell(command)` — quote-aware split on `;`, `|`, `&&`, `||` plus trivial obfuscation neutralization (`c""url` → `curl`, `c\\url` → `curl`)
+- `getCommandHead(subcommand)` — extract the leading verb after tokenization
+
+### GitHub Action helpers
+- `rankSeverity(s)` — numeric rank `none=0 … critical=4`
+- `passesSeverityThreshold(s, threshold)`, `anyAtOrAbove(findings, threshold)` — fail-on plumbing
+- `emitFindingAnnotation(f)` — render a Finding as a `::warning file=…,line=…,title=…::…` GitHub workflow annotation
+
+### Test fixtures (`agent-gov-core/test-utils`)
+Secondary entry point used by consumer test suites. Zero overhead in production — only loaded when test files import it.
+
+- `writeFiles(dir, { relPath: content })` — write a map of files under `dir`, creating parent directories
+- `makeGitRepo({ initialFiles?, initialMessage? })` → `{ repo, commit, head, git, cleanup }` — temp repo on branch `main` with placeholder identity; `commit()` writes files and commits, returning the new SHA
+- `makeOldNewFixture({ old, new })` → `{ old, new, cleanup }` — two sibling temp directories for diff-mode CLI tests
+
+## Principles
+
+- **Zero runtime dependencies.** Real TOML, JSONC, MCP normalization, shell tokenization — all hand-written or vendored, no transitive supply chain.
+- **MIT.** No telemetry. No network calls anywhere in the library.
+- **Semver, with the contract frozen at v1.0.** Until then, minor versions may include breaking changes (the v0.2 schema regex tightening is one example).
+- **Per-tool reasoning stays in each tool.** This library is the substrate, not the orchestrator.
+
+## Used by
+
+- [ScopeTrail](https://github.com/Conalh/ScopeTrail) — agent permission drift in PRs (`scope_trail.*` findings)
+- [PolicyMesh](https://github.com/Conalh/PolicyMesh) — cross-surface agent policy contradictions (`policy_mesh.*`)
+- [CapabilityEcho](https://github.com/Conalh/CapabilityEcho) — capability drift through code, not config (`capability_echo.*`)
+- [TaskBound](https://github.com/Conalh/TaskBound) — scope creep after the agent runs (`task_bound.*`)
+- [SessionTrail](https://github.com/Conalh/SessionTrail) — runtime behavior across agent session transcripts (`session_trail.*`)
+
+## License
+
+MIT.

package/dist/action.d.ts

@@ -0,0 +1,31 @@
+import type { Finding, Severity } from './finding.js';
+/** Numeric rank: low=1, medium=2, high=3, critical=4. */
+export declare function rankSeverity(severity: Severity): number;
+/**
+ * `true` when `severity` is at least as severe as `threshold` — i.e. the run
+ * should FAIL. Returns `false` (= pass) if `severity` is below threshold.
+ */
+export declare function passesSeverityThreshold(severity: Severity, threshold: Severity): boolean;
+/**
+ * Returns true if any finding meets or exceeds the threshold.
+ */
+export declare function anyAtOrAbove(findings: readonly Finding[], threshold: Severity): boolean;
+/**
+ * Build a GitHub Actions workflow command line for a finding.
+ *
+ * `critical` and `high` map to `::error`; everything else maps to `::warning`.
+ * `notice` is intentionally not used — surfacing low findings as `warning` makes
+ * them visible in the Files Changed tab.
+ *
+ * @example
+ * emitFindingAnnotation({
+ *   tool: 'capability_echo',
+ *   kind: 'capability_echo.workflow_permission_write',
+ *   severity: 'high',
+ *   message: 'Workflow grants contents: write to PR-triggered jobs.',
+ *   location: { file: '.github/workflows/ci.yml', line: 12 },
+ * });
+ * // → '::error file=.github/workflows/ci.yml,line=12,title=[capability_echo.workflow_permission_write] high::Workflow grants contents: write to PR-triggered jobs.'
+ */
+export declare function emitFindingAnnotation(finding: Finding): string;
+//# sourceMappingURL=action.d.ts.map

package/dist/action.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"action.d.ts","sourceRoot":"","sources":["../src/action.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,cAAc,CAAC;AAStD,yDAAyD;AACzD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM,CAEvD;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,GAAG,OAAO,CAExF;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,SAAS,OAAO,EAAE,EAAE,SAAS,EAAE,QAAQ,GAAG,OAAO,CAKvF;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,qBAAqB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAe9D"}

package/dist/action.js

@@ -0,0 +1,79 @@
+const SEVERITY_RANK = {
+    low: 1,
+    medium: 2,
+    high: 3,
+    critical: 4,
+};
+/** Numeric rank: low=1, medium=2, high=3, critical=4. */
+export function rankSeverity(severity) {
+    return SEVERITY_RANK[severity];
+}
+/**
+ * `true` when `severity` is at least as severe as `threshold` — i.e. the run
+ * should FAIL. Returns `false` (= pass) if `severity` is below threshold.
+ */
+export function passesSeverityThreshold(severity, threshold) {
+    return rankSeverity(severity) >= rankSeverity(threshold);
+}
+/**
+ * Returns true if any finding meets or exceeds the threshold.
+ */
+export function anyAtOrAbove(findings, threshold) {
+    for (const f of findings) {
+        if (passesSeverityThreshold(f.severity, threshold))
+            return true;
+    }
+    return false;
+}
+/**
+ * Build a GitHub Actions workflow command line for a finding.
+ *
+ * `critical` and `high` map to `::error`; everything else maps to `::warning`.
+ * `notice` is intentionally not used — surfacing low findings as `warning` makes
+ * them visible in the Files Changed tab.
+ *
+ * @example
+ * emitFindingAnnotation({
+ *   tool: 'capability_echo',
+ *   kind: 'capability_echo.workflow_permission_write',
+ *   severity: 'high',
+ *   message: 'Workflow grants contents: write to PR-triggered jobs.',
+ *   location: { file: '.github/workflows/ci.yml', line: 12 },
+ * });
+ * // → '::error file=.github/workflows/ci.yml,line=12,title=[capability_echo.workflow_permission_write] high::Workflow grants contents: write to PR-triggered jobs.'
+ */
+export function emitFindingAnnotation(finding) {
+    const level = finding.severity === 'critical' || finding.severity === 'high'
+        ? 'error'
+        : 'warning';
+    const params = [];
+    if (finding.location?.file)
+        params.push(`file=${escapeProperty(finding.location.file)}`);
+    if (finding.location?.line != null)
+        params.push(`line=${finding.location.line}`);
+    if (finding.location?.column != null)
+        params.push(`col=${finding.location.column}`);
+    if (finding.location?.endLine != null)
+        params.push(`endLine=${finding.location.endLine}`);
+    if (finding.location?.endColumn != null)
+        params.push(`endColumn=${finding.location.endColumn}`);
+    params.push(`title=${escapeProperty(`[${finding.kind}] ${finding.severity}`)}`);
+    const message = escapeData(finding.message);
+    return `::${level} ${params.join(',')}::${message}`;
+}
+// per GitHub Actions docs
+function escapeData(s) {
+    return s
+        .replace(/%/g, '%25')
+        .replace(/\r/g, '%0D')
+        .replace(/\n/g, '%0A');
+}
+function escapeProperty(s) {
+    return s
+        .replace(/%/g, '%25')
+        .replace(/\r/g, '%0D')
+        .replace(/\n/g, '%0A')
+        .replace(/:/g, '%3A')
+        .replace(/,/g, '%2C');
+}
+//# sourceMappingURL=action.js.map

package/dist/action.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action.js","sourceRoot":"","sources":["../src/action.ts"],"names":[],"mappings":"AAEA,MAAM,aAAa,GAA6B;IAC9C,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,yDAAyD;AACzD,MAAM,UAAU,YAAY,CAAC,QAAkB;IAC7C,OAAO,aAAa,CAAC,QAAQ,CAAC,CAAC;AACjC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CAAC,QAAkB,EAAE,SAAmB;IAC7E,OAAO,YAAY,CAAC,QAAQ,CAAC,IAAI,YAAY,CAAC,SAAS,CAAC,CAAC;AAC3D,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,QAA4B,EAAE,SAAmB;IAC5E,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,uBAAuB,CAAC,CAAC,CAAC,QAAQ,EAAE,SAAS,CAAC;YAAE,OAAO,IAAI,CAAC;IAClE,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,MAAM,KAAK,GAAG,OAAO,CAAC,QAAQ,KAAK,UAAU,IAAI,OAAO,CAAC,QAAQ,KAAK,MAAM;QAC1E,CAAC,CAAC,OAAO;QACT,CAAC,CAAC,SAAS,CAAC;IAEd,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,OAAO,CAAC,QAAQ,EAAE,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,cAAc,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACzF,IAAI,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC;IACjF,IAAI,OAAO,CAAC,QAAQ,EAAE,MAAM,IAAI,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,OAAO,OAAO,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACpF,IAAI,OAAO,CAAC,QAAQ,EAAE,OAAO,IAAI,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,WAAW,OAAO,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC;IAC1F,IAAI,OAAO,CAAC,QAAQ,EAAE,SAAS,IAAI,IAAI;QAAE,MAAM,CAAC,IAAI,CAAC,aAAa,OAAO,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;IAChG,MAAM,CAAC,IAAI,CAAC,SAAS,cAAc,CAAC,IAAI,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,QAAQ,EAAE,CAAC,EAAE,CAAC,CAAC;IAEhF,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAC5C,OAAO,KAAK,KAAK,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,OAAO,EAAE,CAAC;AACtD,CAAC;AAED,0BAA0B;AAC1B,SAAS,UAAU,CAAC,CAAS;IAC3B,OAAO,CAAC;SACL,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;SACpB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;SACrB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;AAC3B,CAAC;AAED,SAAS,cAAc,CAAC,CAAS;IAC/B,OAAO,CAAC;SACL,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;SACpB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;SACrB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC;SACpB,OAAO,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AAC1B,CAAC"}

package/dist/finding.d.ts

@@ -0,0 +1,115 @@
+export type Severity = 'low' | 'medium' | 'high' | 'critical';
+/**
+ * Closed set of tool identifiers in the AI-agent governance suite. Adding a new
+ * tool requires updating this union, {@link TOOL_KINDS}, the `tool` enum in
+ * `schemas/finding.schema.json`, and the `kind` pattern regex in both this file
+ * and the schema — they are kept in lockstep by the test suite.
+ */
+export type ToolKind = 'scope_trail' | 'policy_mesh' | 'capability_echo' | 'task_bound' | 'session_trail';
+export interface FindingLocation {
+    file: string;
+    line?: number;
+    column?: number;
+    endLine?: number;
+    endColumn?: number;
+}
+export interface Finding {
+    /** Originating tool. */
+    tool: ToolKind;
+    /** Namespaced kind: `<tool_kind>.<short_slug>` (e.g. `scope_trail.permission_allow_widened`). */
+    kind: string;
+    severity: Severity;
+    /** Human-readable headline. Single line. */
+    message: string;
+    /** Optional longer-form explanation; can be multi-line. */
+    detail?: string;
+    location?: FindingLocation;
+    /** Stable identifier for dedupe across runs. Recommended: hash of (kind, location, salient fields). */
+    fingerprint?: string;
+    /** Optional structured metadata; downstream meta-reviewers may inspect it. */
+    data?: Record<string, unknown>;
+}
+export declare const SEVERITIES: readonly Severity[];
+export declare const TOOL_KINDS: readonly ToolKind[];
+export declare function isSeverity(value: unknown): value is Severity;
+export declare function isToolKind(value: unknown): value is ToolKind;
+/**
+ * Build a namespaced finding kind like `scope_trail.permission_allow_widened`
+ * without hand-assembling the dotted string. The `name` slug must match
+ * `[a-z0-9_]+` — the same pattern the JSON schema enforces.
+ *
+ * @throws if `name` contains characters outside the allowed slug class.
+ */
+export declare function kind<T extends ToolKind>(tool: T, name: string): `${T}.${string}`;
+/**
+ * Runtime guard matching the JSON schema's `kind` pattern. Useful for
+ * tools that want to assert their finding constructors produce valid
+ * namespaced kinds before emit.
+ */
+export declare function isNamespacedKind(value: unknown): value is `${ToolKind}.${string}`;
+/** Constructor spec for {@link createFinding}. */
+export interface CreateFindingSpec {
+    tool: ToolKind;
+    /** Slug appended to `tool` to form `kind`. Must match `[a-z0-9_]+`. */
+    name: string;
+    severity: Severity;
+    message: string;
+    detail?: string;
+    location?: FindingLocation;
+    data?: Record<string, unknown>;
+    /** Optional explicit fingerprint. If omitted, {@link fingerprintFinding} is computed. */
+    fingerprint?: string;
+}
+/**
+ * Convenience constructor that assembles a {@link Finding} with a validated
+ * namespaced `kind` and a deterministic fingerprint. Equivalent to building the
+ * object literal by hand plus calling {@link kind} and {@link fingerprintFinding}.
+ *
+ * @example
+ * const f = createFinding({
+ *   tool: 'scope_trail',
+ *   name: 'permission_allow_widened',
+ *   severity: 'high',
+ *   message: 'Claude Code allow rule widened to Bash(npm *)',
+ *   location: { file: '.claude/settings.json', line: 12 },
+ * });
+ * // f.kind === 'scope_trail.permission_allow_widened'
+ * // f.fingerprint === '<stable hex>'
+ */
+export declare function createFinding(spec: CreateFindingSpec): Finding;
+/**
+ * Stable 16-character hex fingerprint for a finding, derived from its routing
+ * fields (`kind`, `location.file`, `location.line`, `location.column`). Two
+ * findings emitted by the same tool against the same site collapse to the same
+ * fingerprint, so a downstream meta-reviewer can dedupe across runs.
+ *
+ * The fingerprint deliberately ignores `message`, `detail`, and `data` — those
+ * fields can drift across versions without changing the underlying issue.
+ *
+ * @example
+ * fingerprintFinding({
+ *   tool: 'task_bound',
+ *   kind: 'task_bound.out_of_scope_file',
+ *   severity: 'medium',
+ *   message: 'Touched file outside stated task',
+ *   location: { file: 'src/index.ts', line: 42 },
+ * });
+ * // → '7e1c9b3a4d8f6e02'
+ */
+export declare function fingerprintFinding(finding: Finding): string;
+export interface FindingValidationResult {
+    ok: boolean;
+    errors: string[];
+}
+/**
+ * Runtime check that a value conforms to the canonical Finding schema
+ * (`schemas/finding.schema.json`). Returns the first error per offending
+ * field rather than throwing — meta-reviewers can collect errors across a
+ * batch and report them in aggregate.
+ *
+ * @example
+ * const result = validateFinding(jsonFromDisk);
+ * if (!result.ok) console.error(result.errors.join('\n'));
+ */
+export declare function validateFinding(value: unknown): FindingValidationResult;
+//# sourceMappingURL=finding.d.ts.map

package/dist/finding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding.d.ts","sourceRoot":"","sources":["../src/finding.ts"],"names":[],"mappings":"AAEA,MAAM,MAAM,QAAQ,GAAG,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;AAE9D;;;;;GAKG;AACH,MAAM,MAAM,QAAQ,GAChB,aAAa,GACb,aAAa,GACb,iBAAiB,GACjB,YAAY,GACZ,eAAe,CAAC;AAEpB,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,OAAO;IACtB,wBAAwB;IACxB,IAAI,EAAE,QAAQ,CAAC;IACf,iGAAiG;IACjG,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,QAAQ,CAAC;IACnB,4CAA4C;IAC5C,OAAO,EAAE,MAAM,CAAC;IAChB,2DAA2D;IAC3D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,uGAAuG;IACvG,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,8EAA8E;IAC9E,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED,eAAO,MAAM,UAAU,EAAE,SAAS,QAAQ,EAA0C,CAAC;AAErF,eAAO,MAAM,UAAU,EAAE,SAAS,QAAQ,EAMzC,CAAC;AAEF,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,QAAQ,CAE5D;AAED,wBAAgB,UAAU,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,QAAQ,CAE5D;AAED;;;;;;GAMG;AACH,wBAAgB,IAAI,CAAC,CAAC,SAAS,QAAQ,EAAE,IAAI,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,GAAG,GAAG,CAAC,IAAI,MAAM,EAAE,CAOhF;AAID;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,GAAG,QAAQ,IAAI,MAAM,EAAE,CAEjF;AAED,kDAAkD;AAClD,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,QAAQ,CAAC;IACf,uEAAuE;IACvE,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,QAAQ,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,yFAAyF;IACzF,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAY9D;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,kBAAkB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,CAQ3D;AAED,MAAM,WAAW,uBAAuB;IACtC,EAAE,EAAE,OAAO,CAAC;IACZ,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAeD;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,uBAAuB,CAkCvE"}

package/dist/finding.js

@@ -0,0 +1,177 @@
+import { createHash } from 'node:crypto';
+export const SEVERITIES = ['low', 'medium', 'high', 'critical'];
+export const TOOL_KINDS = [
+    'scope_trail',
+    'policy_mesh',
+    'capability_echo',
+    'task_bound',
+    'session_trail',
+];
+export function isSeverity(value) {
+    return typeof value === 'string' && SEVERITIES.includes(value);
+}
+export function isToolKind(value) {
+    return typeof value === 'string' && TOOL_KINDS.includes(value);
+}
+/**
+ * Build a namespaced finding kind like `scope_trail.permission_allow_widened`
+ * without hand-assembling the dotted string. The `name` slug must match
+ * `[a-z0-9_]+` — the same pattern the JSON schema enforces.
+ *
+ * @throws if `name` contains characters outside the allowed slug class.
+ */
+export function kind(tool, name) {
+    if (!/^[a-z0-9_]+$/.test(name)) {
+        throw new Error(`agent-gov-core/kind: name '${name}' must match [a-z0-9_]+ (kebab, camelCase, and dots are rejected)`);
+    }
+    return `${tool}.${name}`;
+}
+const KIND_PATTERN = /^(scope_trail|policy_mesh|capability_echo|task_bound|session_trail)\.[a-z0-9_]+$/;
+/**
+ * Runtime guard matching the JSON schema's `kind` pattern. Useful for
+ * tools that want to assert their finding constructors produce valid
+ * namespaced kinds before emit.
+ */
+export function isNamespacedKind(value) {
+    return typeof value === 'string' && KIND_PATTERN.test(value);
+}
+/**
+ * Convenience constructor that assembles a {@link Finding} with a validated
+ * namespaced `kind` and a deterministic fingerprint. Equivalent to building the
+ * object literal by hand plus calling {@link kind} and {@link fingerprintFinding}.
+ *
+ * @example
+ * const f = createFinding({
+ *   tool: 'scope_trail',
+ *   name: 'permission_allow_widened',
+ *   severity: 'high',
+ *   message: 'Claude Code allow rule widened to Bash(npm *)',
+ *   location: { file: '.claude/settings.json', line: 12 },
+ * });
+ * // f.kind === 'scope_trail.permission_allow_widened'
+ * // f.fingerprint === '<stable hex>'
+ */
+export function createFinding(spec) {
+    const finding = {
+        tool: spec.tool,
+        kind: kind(spec.tool, spec.name),
+        severity: spec.severity,
+        message: spec.message,
+    };
+    if (spec.detail !== undefined)
+        finding.detail = spec.detail;
+    if (spec.location !== undefined)
+        finding.location = spec.location;
+    if (spec.data !== undefined)
+        finding.data = spec.data;
+    finding.fingerprint = spec.fingerprint ?? fingerprintFinding(finding);
+    return finding;
+}
+/**
+ * Stable 16-character hex fingerprint for a finding, derived from its routing
+ * fields (`kind`, `location.file`, `location.line`, `location.column`). Two
+ * findings emitted by the same tool against the same site collapse to the same
+ * fingerprint, so a downstream meta-reviewer can dedupe across runs.
+ *
+ * The fingerprint deliberately ignores `message`, `detail`, and `data` — those
+ * fields can drift across versions without changing the underlying issue.
+ *
+ * @example
+ * fingerprintFinding({
+ *   tool: 'task_bound',
+ *   kind: 'task_bound.out_of_scope_file',
+ *   severity: 'medium',
+ *   message: 'Touched file outside stated task',
+ *   location: { file: 'src/index.ts', line: 42 },
+ * });
+ * // → '7e1c9b3a4d8f6e02'
+ */
+export function fingerprintFinding(finding) {
+    const parts = [
+        finding.kind,
+        finding.location?.file ?? '',
+        finding.location?.line ?? '',
+        finding.location?.column ?? '',
+    ];
+    return createHash('sha256').update(parts.join('|')).digest('hex').slice(0, 16);
+}
+const FINDING_ALLOWED_KEYS = new Set([
+    'tool',
+    'kind',
+    'severity',
+    'message',
+    'detail',
+    'location',
+    'fingerprint',
+    'data',
+]);
+const LOCATION_ALLOWED_KEYS = new Set(['file', 'line', 'column', 'endLine', 'endColumn']);
+/**
+ * Runtime check that a value conforms to the canonical Finding schema
+ * (`schemas/finding.schema.json`). Returns the first error per offending
+ * field rather than throwing — meta-reviewers can collect errors across a
+ * batch and report them in aggregate.
+ *
+ * @example
+ * const result = validateFinding(jsonFromDisk);
+ * if (!result.ok) console.error(result.errors.join('\n'));
+ */
+export function validateFinding(value) {
+    const errors = [];
+    if (value === null || typeof value !== 'object' || Array.isArray(value)) {
+        return { ok: false, errors: ['finding must be a plain object'] };
+    }
+    const v = value;
+    if (!isToolKind(v.tool))
+        errors.push(`tool must be one of: ${TOOL_KINDS.join(', ')}`);
+    if (!isNamespacedKind(v.kind))
+        errors.push("kind must match '<tool>.<slug>' (e.g. 'scope_trail.permission_allow_widened')");
+    if (!isSeverity(v.severity))
+        errors.push(`severity must be one of: ${SEVERITIES.join(', ')}`);
+    if (typeof v.message !== 'string' || v.message.length === 0)
+        errors.push('message must be a non-empty string');
+    if (isToolKind(v.tool) && isNamespacedKind(v.kind) && !v.kind.startsWith(`${v.tool}.`)) {
+        errors.push(`kind '${v.kind}' must start with tool '${v.tool}.'`);
+    }
+    if (v.detail !== undefined && typeof v.detail !== 'string') {
+        errors.push('detail must be a string when present');
+    }
+    if (v.fingerprint !== undefined && typeof v.fingerprint !== 'string') {
+        errors.push('fingerprint must be a string when present');
+    }
+    if (v.data !== undefined && (v.data === null || typeof v.data !== 'object' || Array.isArray(v.data))) {
+        errors.push('data must be an object when present');
+    }
+    if (v.location !== undefined) {
+        errors.push(...validateLocation(v.location));
+    }
+    for (const key of Object.keys(v)) {
+        if (!FINDING_ALLOWED_KEYS.has(key))
+            errors.push(`unknown property: ${key}`);
+    }
+    return { ok: errors.length === 0, errors };
+}
+function validateLocation(value) {
+    const errors = [];
+    if (value === null || typeof value !== 'object' || Array.isArray(value)) {
+        return ['location must be an object when present'];
+    }
+    const loc = value;
+    if (typeof loc.file !== 'string' || loc.file.length === 0) {
+        errors.push('location.file must be a non-empty string');
+    }
+    for (const field of ['line', 'column', 'endLine', 'endColumn']) {
+        if (loc[field] !== undefined) {
+            const n = loc[field];
+            if (typeof n !== 'number' || !Number.isInteger(n) || n < 1) {
+                errors.push(`location.${field} must be a positive integer when present`);
+            }
+        }
+    }
+    for (const key of Object.keys(loc)) {
+        if (!LOCATION_ALLOWED_KEYS.has(key))
+            errors.push(`unknown location property: ${key}`);
+    }
+    return errors;
+}
+//# sourceMappingURL=finding.js.map

package/dist/finding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"finding.js","sourceRoot":"","sources":["../src/finding.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AA0CzC,MAAM,CAAC,MAAM,UAAU,GAAwB,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,UAAU,CAAC,CAAC;AAErF,MAAM,CAAC,MAAM,UAAU,GAAwB;IAC7C,aAAa;IACb,aAAa;IACb,iBAAiB;IACjB,YAAY;IACZ,eAAe;CAChB,CAAC;AAEF,MAAM,UAAU,UAAU,CAAC,KAAc;IACvC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAK,UAAgC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACxF,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAc;IACvC,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAK,UAAgC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACxF,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,IAAI,CAAqB,IAAO,EAAE,IAAY;IAC5D,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,8BAA8B,IAAI,mEAAmE,CACtG,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,IAAI,IAAI,IAAI,EAAsB,CAAC;AAC/C,CAAC;AAED,MAAM,YAAY,GAAG,kFAAkF,CAAC;AAExG;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC7C,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AAC/D,CAAC;AAgBD;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,aAAa,CAAC,IAAuB;IACnD,MAAM,OAAO,GAAY;QACvB,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC;QAChC,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,OAAO,EAAE,IAAI,CAAC,OAAO;KACtB,CAAC;IACF,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS;QAAE,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;IAC5D,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS;QAAE,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;IAClE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS;QAAE,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IACtD,OAAO,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACtE,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,kBAAkB,CAAC,OAAgB;IACjD,MAAM,KAAK,GAAG;QACZ,OAAO,CAAC,IAAI;QACZ,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE;QAC5B,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,EAAE;QAC5B,OAAO,CAAC,QAAQ,EAAE,MAAM,IAAI,EAAE;KAC/B,CAAC;IACF,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC;AAOD,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,MAAM;IACN,MAAM;IACN,UAAU;IACV,SAAS;IACT,QAAQ;IACR,UAAU;IACV,aAAa;IACb,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC,CAAC;AAE1F;;;;;;;;;GASG;AACH,MAAM,UAAU,eAAe,CAAC,KAAc;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,gCAAgC,CAAC,EAAE,CAAC;IACnE,CAAC;IACD,MAAM,CAAC,GAAG,KAAgC,CAAC;IAE3C,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,wBAAwB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtF,IAAI,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,+EAA+E,CAAC,CAAC;IAC5H,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,4BAA4B,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC9F,IAAI,OAAO,CAAC,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAC;IAE/G,IAAI,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QACvF,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,IAAI,2BAA2B,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,CAAC,CAAC,MAAM,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAC;IACtD,CAAC;IACD,IAAI,CAAC,CAAC,WAAW,KAAK,SAAS,IAAI,OAAO,CAAC,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QACrE,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,CAAC,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;QACrG,MAAM,CAAC,IAAI,CAAC,qCAAqC,CAAC,CAAC;IACrD,CAAC;IACD,IAAI,CAAC,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,GAAG,gBAAgB,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC/C,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;QACjC,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,qBAAqB,GAAG,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAC7C,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAc;IACtC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACxE,OAAO,CAAC,yCAAyC,CAAC,CAAC;IACrD,CAAC;IACD,MAAM,GAAG,GAAG,KAAgC,CAAC;IAC7C,IAAI,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ,IAAI,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAC;IAC1D,CAAC;IACD,KAAK,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,WAAW,CAAU,EAAE,CAAC;QACxE,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC;YACrB,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBAC3D,MAAM,CAAC,IAAI,CAAC,YAAY,KAAK,0CAA0C,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;IACH,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACnC,IAAI,CAAC,qBAAqB,CAAC,GAAG,CAAC,GAAG,CAAC;YAAE,MAAM,CAAC,IAAI,CAAC,8BAA8B,GAAG,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,13 @@
+export type { Finding, FindingLocation, Severity, ToolKind, CreateFindingSpec, FindingValidationResult, } from './finding.js';
+export { SEVERITIES, TOOL_KINDS, isSeverity, isToolKind, isNamespacedKind, kind, createFinding, fingerprintFinding, validateFinding, } from './finding.js';
+export type { JsonObjectWithSource } from './jsonc.js';
+export { readJsonObjectWithSource, stripJsonComments } from './jsonc.js';
+export type { TomlObjectWithSource } from './toml.js';
+export { readTomlObject, parseToml } from './toml.js';
+export type { ByteRange } from './locators.js';
+export { lineOfJsonKey, lineOfJsonStringValue, lineOfTomlKey, } from './locators.js';
+export type { McpCommandSpec } from './mcp.js';
+export { normalizeMcpCommand } from './mcp.js';
+export { tokenizeShell, getCommandHead } from './shell.js';
+export { rankSeverity, passesSeverityThreshold, anyAtOrAbove, emitFindingAnnotation, } from './action.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,YAAY,EACV,OAAO,EACP,eAAe,EACf,QAAQ,EACR,QAAQ,EACR,iBAAiB,EACjB,uBAAuB,GACxB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,UAAU,EACV,UAAU,EACV,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,IAAI,EACJ,aAAa,EACb,kBAAkB,EAClB,eAAe,GAChB,MAAM,cAAc,CAAC;AAEtB,YAAY,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AACvD,OAAO,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAEzE,YAAY,EAAE,oBAAoB,EAAE,MAAM,WAAW,CAAC;AACtD,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtD,YAAY,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,aAAa,GACd,MAAM,eAAe,CAAC;AAEvB,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC/C,OAAO,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAE/C,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE3D,OAAO,EACL,YAAY,EACZ,uBAAuB,EACvB,YAAY,EACZ,qBAAqB,GACtB,MAAM,aAAa,CAAC"}

package/dist/index.js

@@ -0,0 +1,8 @@
+export { SEVERITIES, TOOL_KINDS, isSeverity, isToolKind, isNamespacedKind, kind, createFinding, fingerprintFinding, validateFinding, } from './finding.js';
+export { readJsonObjectWithSource, stripJsonComments } from './jsonc.js';
+export { readTomlObject, parseToml } from './toml.js';
+export { lineOfJsonKey, lineOfJsonStringValue, lineOfTomlKey, } from './locators.js';
+export { normalizeMcpCommand } from './mcp.js';
+export { tokenizeShell, getCommandHead } from './shell.js';
+export { rankSeverity, passesSeverityThreshold, anyAtOrAbove, emitFindingAnnotation, } from './action.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAQA,OAAO,EACL,UAAU,EACV,UAAU,EACV,UAAU,EACV,UAAU,EACV,gBAAgB,EAChB,IAAI,EACJ,aAAa,EACb,kBAAkB,EAClB,eAAe,GAChB,MAAM,cAAc,CAAC;AAGtB,OAAO,EAAE,wBAAwB,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAGzE,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtD,OAAO,EACL,aAAa,EACb,qBAAqB,EACrB,aAAa,GACd,MAAM,eAAe,CAAC;AAGvB,OAAO,EAAE,mBAAmB,EAAE,MAAM,UAAU,CAAC;AAE/C,OAAO,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE3D,OAAO,EACL,YAAY,EACZ,uBAAuB,EACvB,YAAY,EACZ,qBAAqB,GACtB,MAAM,aAAa,CAAC"}

package/dist/jsonc.d.ts

@@ -0,0 +1,20 @@
+export interface JsonObjectWithSource {
+    /** Parsed JSON value, or `undefined` if parsing failed. */
+    json: unknown;
+    /** Raw file text (untouched). */
+    text: string;
+    /** Set when parsing failed. */
+    parseError?: Error;
+}
+/**
+ * Strip `//` line comments, `/* ... *\/` block comments, and trailing commas from JSONC,
+ * preserving byte offsets (replacement is space-filled, newlines preserved) so downstream
+ * line locators still match the original `text`.
+ */
+export declare function stripJsonComments(input: string): string;
+/**
+ * Read a JSONC file and return both the parsed value and the original text.
+ * The original text is preserved exactly so line locators can operate on it.
+ */
+export declare function readJsonObjectWithSource(path: string): JsonObjectWithSource;
+//# sourceMappingURL=jsonc.d.ts.map

package/dist/jsonc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonc.d.ts","sourceRoot":"","sources":["../src/jsonc.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,oBAAoB;IACnC,2DAA2D;IAC3D,IAAI,EAAE,OAAO,CAAC;IACd,iCAAiC;IACjC,IAAI,EAAE,MAAM,CAAC;IACb,+BAA+B;IAC/B,UAAU,CAAC,EAAE,KAAK,CAAC;CACpB;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAoEvD;AA8BD;;;GAGG;AACH,wBAAgB,wBAAwB,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,CAS3E"}