aislop 0.10.0 → 0.10.2

package/dist/cli.js

@@ -34,7 +34,7 @@ var __exportAll = (all, no_symbols) => {
 
 //#endregion
 //#region src/version.ts
-const APP_VERSION = "0.10.0";
+const APP_VERSION = "0.10.2";
 
 //#endregion
 //#region src/telemetry/env.ts
@@ -183,7 +183,7 @@ const redactProperties = (props) => {
 const POSTHOG_HOST = process.env.AISLOP_POSTHOG_HOST ?? "https://eu.i.posthog.com";
 const POSTHOG_KEY = process.env.AISLOP_POSTHOG_KEY ?? "phc_eY2cOMFva9q24GrWeOuvuVIOhCIdjOALxeAR3ItrqbJ";
 const SCHEMA_VERSION = "v2";
-const REQUEST_TIMEOUT_MS = 3e3;
+const REQUEST_TIMEOUT_MS$1 = 3e3;
 const isTelemetryDisabled = (config) => {
 	const env = process.env;
 	if (env.AISLOP_NO_TELEMETRY === "1" || env.DO_NOT_TRACK === "1") return true;
@@ -237,16 +237,21 @@ const track = (input) => {
 		method: "POST",
 		headers: { "Content-Type": "application/json" },
 		body: JSON.stringify(payload),
-		signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS)
+		signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS$1)
 	}).then(() => {}).catch(() => {}).finally(() => {
 		pendingRequests.delete(request);
 	});
 	pendingRequests.add(request);
 	return { installCreated };
 };
-const flushTelemetry = async () => {
+const flushTelemetry = async (timeoutMs) => {
 	if (pendingRequests.size === 0) return;
-	await Promise.all(pendingRequests);
+	const all = Promise.all(pendingRequests);
+	if (timeoutMs == null) {
+		await all;
+		return;
+	}
+	await Promise.race([all, new Promise((resolve) => setTimeout(resolve, timeoutMs))]);
 };
 
 //#endregion
@@ -361,7 +366,7 @@ const withCommandLifecycle = async (start, run) => {
 				startProps,
 				exitCode: result.exitCode,
 				durationMs,
-				score: result.score,
+				score: result.score ?? void 0,
 				findingCount: result.findingCount,
 				errorCount: result.errorCount,
 				warningCount: result.warningCount,
@@ -619,12 +624,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: scanaislop/aislop@v${APP_VERSION}
         with:
-          node-version: 20
-      # Quality gate: exits 1 when score < ci.failBelow in .aislop/config.yml
-      # or when any error-severity diagnostic is present.
-      - run: npx aislop@latest ci .
+          version: ${APP_VERSION}
 `;
 const DEFAULT_RULES_YAML = `# Architecture rules (BYO)
 # Uncomment and customize to enforce your project's conventions.
@@ -1012,6 +1014,15 @@ const listProjectFiles = (rootDirectory) => {
 	if (findResult.error || findResult.status !== 0) return [];
 	return findResult.stdout.split("\n").filter((file) => file.length > 0).map((file) => file.replace(/^\.\//, ""));
 };
+const readAislopIgnorePatterns = (rootDirectory) => {
+	const ignorePath = path.join(rootDirectory, ".aislopignore");
+	if (!fs.existsSync(ignorePath)) return [];
+	try {
+		return fs.readFileSync(ignorePath, "utf-8").split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#"));
+	} catch {
+		return [];
+	}
+};
 const normalizeExcludePatterns = (patterns) => {
 	return patterns.flatMap((pattern) => {
 		const p = pattern.trim();
@@ -1085,7 +1096,7 @@ const getSourceFilesWithExtras = (context, extraExtensions) => {
 };
 
 //#endregion
-//#region src/engines/ai-slop/abstractions.ts
+//#region src/utils/source-masker.ts
 const JS_EXTS$2 = new Set([
 	".ts",
 	".tsx",
@@ -1094,14 +1105,226 @@ const JS_EXTS$2 = new Set([
 	".mjs",
 	".cjs"
 ]);
+const PY_EXTS = new Set([".py"]);
+const RB_EXTS = new Set([".rb"]);
+const PHP_EXTS = new Set([".php"]);
+const familyForExt = (ext) => {
+	if (JS_EXTS$2.has(ext)) return "js";
+	if (PY_EXTS.has(ext)) return "py";
+	if (RB_EXTS.has(ext)) return "rb";
+	if (PHP_EXTS.has(ext)) return "php";
+	return "none";
+};
+const maskStringsAndComments = (content, ext) => {
+	const family = familyForExt(ext);
+	if (family === "none") return content;
+	if (family === "js") return maskJs(content, true);
+	return maskSimple(content, family, true);
+};
+const maskComments = (content, ext) => {
+	const family = familyForExt(ext);
+	if (family === "none") return content;
+	if (family === "js") return maskJs(content, false);
+	return maskSimple(content, family, false);
+};
+const handleQuotesAndComments = (content, i, tplStack, mask, maskStrings) => {
+	const len = content.length;
+	const c = content[i];
+	const next = content[i + 1];
+	if (c === "\"" || c === "'") {
+		const strStart = i;
+		const end = consumeQuotedString(content, i, c);
+		if (maskStrings) mask(strStart + 1, end - 1);
+		return {
+			handled: true,
+			nextI: end
+		};
+	}
+	if (c === "`") {
+		const scan = consumeTemplateString(content, i + 1);
+		if (maskStrings) mask(i + 1, scan.maskEnd);
+		if (scan.openedInterp) tplStack.push(0);
+		return {
+			handled: true,
+			nextI: scan.resumeAt
+		};
+	}
+	if (c === "/" && next === "/") {
+		const strStart = i;
+		let k = i;
+		while (k < len && content[k] !== "\n") k++;
+		mask(strStart, k);
+		return {
+			handled: true,
+			nextI: k
+		};
+	}
+	if (c === "/" && next === "*") {
+		const strStart = i;
+		let k = i + 2;
+		while (k < len - 1 && !(content[k] === "*" && content[k + 1] === "/")) k++;
+		if (k < len - 1) k += 2;
+		mask(strStart, k);
+		return {
+			handled: true,
+			nextI: k
+		};
+	}
+	return {
+		handled: false,
+		nextI: i
+	};
+};
+const maskJs = (content, maskStrings) => {
+	const out = content.split("");
+	const len = content.length;
+	const tplStack = [];
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		if (tplStack.length > 0) {
+			if (c === "{") {
+				tplStack[tplStack.length - 1]++;
+				i++;
+				continue;
+			}
+			if (c === "}") {
+				if (tplStack[tplStack.length - 1] === 0) {
+					tplStack.pop();
+					const scan = consumeTemplateString(content, i + 1);
+					if (maskStrings) mask(i + 1, scan.maskEnd);
+					if (scan.openedInterp) tplStack.push(0);
+					i = scan.resumeAt;
+					continue;
+				}
+				tplStack[tplStack.length - 1]--;
+				i++;
+				continue;
+			}
+		}
+		const handled = handleQuotesAndComments(content, i, tplStack, mask, maskStrings);
+		if (handled.handled) {
+			i = handled.nextI;
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+const consumeQuotedString = (content, start, quote) => {
+	const len = content.length;
+	let i = start + 1;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === quote) return i + 1;
+		if (c === "\n") return i;
+		i++;
+	}
+	return i;
+};
+const consumeTemplateString = (content, start) => {
+	const len = content.length;
+	let i = start;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === "`") return {
+			maskEnd: i,
+			resumeAt: i + 1,
+			openedInterp: false
+		};
+		if (c === "$" && content[i + 1] === "{") return {
+			maskEnd: i,
+			resumeAt: i + 2,
+			openedInterp: true
+		};
+		i++;
+	}
+	return {
+		maskEnd: i,
+		resumeAt: i,
+		openedInterp: false
+	};
+};
+const maskSimple = (content, family, maskStrings) => {
+	const out = content.split("");
+	const len = content.length;
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		const next = content[i + 1];
+		if (family === "py" && (c === "\"" || c === "'")) {
+			if (content[i + 1] === c && content[i + 2] === c) {
+				const triple = c + c + c;
+				const end = content.indexOf(triple, i + 3);
+				const stop = end === -1 ? len : end + 3;
+				if (maskStrings) mask(i + 3, stop - 3);
+				i = stop;
+				continue;
+			}
+		}
+		if (c === "\"" || c === "'") {
+			const strStart = i;
+			i = consumeQuotedString(content, i, c);
+			if (maskStrings) mask(strStart + 1, i - 1);
+			continue;
+		}
+		if ((family === "py" || family === "rb" || family === "php") && c === "#") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "/") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "*") {
+			const strStart = i;
+			i += 2;
+			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+			if (i < len - 1) i += 2;
+			mask(strStart, i);
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+
+//#endregion
+//#region src/engines/ai-slop/abstractions.ts
+const JS_EXTS$1 = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs"
+]);
 const THIN_WRAPPER_PATTERNS = [
 	{
 		pattern: /(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\([^)]*\)\s*(?::\s*\w[^{]*)?\{\s*\n?\s*return\s+\w+\([^)]*\);\s*\n?\s*\}/g,
-		extensions: JS_EXTS$2
+		extensions: JS_EXTS$1
 	},
 	{
 		pattern: /(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\([^)]*\)\s*(?::\s*\w[^=]*)?\s*=>\s*\w+\([^)]*\);/g,
-		extensions: JS_EXTS$2
+		extensions: JS_EXTS$1
 	},
 	{
 		pattern: /def\s+(\w+)\s*\([^)]*\)(?:\s*->[^:]*)?:\s*\n\s+return\s+\w+\([^)]*\)\s*$/gm,
@@ -1129,16 +1352,14 @@ const detectThinWrappers = (content, relativePath, ext) => {
 	for (const { pattern, extensions } of THIN_WRAPPER_PATTERNS) {
 		if (!extensions.has(ext)) continue;
 		const regex = new RegExp(pattern.source, pattern.flags);
-		let match;
-		while ((match = regex.exec(content)) !== null) {
+		for (const match of content.matchAll(regex)) {
 			const funcName = match[1];
 			const matchText = match[0];
 			const lineNumber = content.slice(0, match.index).split("\n").length;
 			if (DUNDER_PATTERN.test(funcName)) continue;
 			if (FRAMEWORK_METHOD_NAMES.test(funcName)) continue;
 			if (lineNumber >= 2) {
-				const prevLine = lines[lineNumber - 2]?.trim();
-				if (prevLine && prevLine.startsWith("@")) continue;
+				if ((lines[lineNumber - 2]?.trim())?.startsWith("@")) continue;
 			}
 			if (!isIdentityForward(matchText)) continue;
 			if (isUseContextWrapper(matchText)) continue;
@@ -1194,8 +1415,9 @@ const detectOverAbstraction = async (context) => {
 		}
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		const ext = path.extname(filePath);
-		diagnostics.push(...detectThinWrappers(content, relativePath, ext));
-		diagnostics.push(...detectAiNaming(content, relativePath));
+		const codeOnly = maskComments(content, ext);
+		diagnostics.push(...detectThinWrappers(codeOnly, relativePath, ext));
+		diagnostics.push(...detectAiNaming(codeOnly, relativePath));
 	}
 	return diagnostics;
 };
@@ -1514,7 +1736,7 @@ const detectDeadCodePatterns = (content, relativePath, ext) => {
 		const nextLine = i + 1 < lines.length ? lines[i + 1]?.trim() : void 0;
 		if (JS_EXTENSIONS$4.has(ext) && /^(?:return|throw)\b/.test(trimmed) && trimmed.endsWith(";") && nextLine && nextLine.length > 0 && !isGuardedSingleLineExit(lines, i) && !isBlockCloserAfterReturn(nextLine) && !nextLine.startsWith("//") && !nextLine.startsWith("/*") && !nextLine.startsWith("case ") && !nextLine.startsWith("default:") && !nextLine.startsWith("if ") && !nextLine.startsWith("if(") && !nextLine.startsWith("else")) diagnostics.push(slop(relativePath, i + 2, "ai-slop/unreachable-code", "warning", "Code after return/throw statement is unreachable", "Remove the unreachable code or restructure the control flow", false));
 		if (/\bif\s*\(\s*(?:false|true|0|1)\s*\)/.test(trimmed) && !trimmed.startsWith("//") && !trimmed.startsWith("*") && !/["'`].*\bif\s*\(/.test(trimmed) && !/\/.*\bif\s*\(/.test(trimmed.replace(/\/\/.*$/, ""))) diagnostics.push(slop(relativePath, i + 1, "ai-slop/constant-condition", "warning", "Conditional with a constant value — likely debugging leftover", "Remove the constant condition or replace with proper logic", false));
-		if (JS_EXTENSIONS$4.has(ext) && /(?:function\s+\w+|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ")) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
+		if (JS_EXTENSIONS$4.has(ext) && /(?:function\s+\w+\s*\([^)]*\)|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ")) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
 	}
 	return diagnostics;
 };
@@ -1551,9 +1773,10 @@ const detectDeadPatterns = async (context) => {
 		}
 		const ext = path.extname(filePath);
 		const relativePath = path.relative(context.rootDirectory, filePath);
-		diagnostics.push(...detectConsoleLeftovers(content, relativePath, ext));
+		const codeOnly = maskComments(content, ext);
+		diagnostics.push(...detectConsoleLeftovers(codeOnly, relativePath, ext));
 		diagnostics.push(...detectTodoStubs(content, relativePath));
-		diagnostics.push(...detectDeadCodePatterns(content, relativePath, ext));
+		diagnostics.push(...detectDeadCodePatterns(codeOnly, relativePath, ext));
 		diagnostics.push(...detectUnsafeTypePatterns(content, relativePath, ext));
 	}
 	return diagnostics;
@@ -1743,6 +1966,7 @@ const JS_EXTENSIONS$3 = new Set([
 const IMPORT_FROM_RE$1 = /^\s*import\s+([^;]*?)\s+from\s+["']([^"']+)["']/;
 const TYPE_ONLY_RE = /^\s*type\b/;
 const VALUE_BINDING_RE = /\{([^}]*)\}/;
+const NAMESPACE_RE = /\*\s+as\s+/;
 const isTypeOnly = (clause) => {
 	if (TYPE_ONLY_RE.test(clause)) return true;
 	const braces = VALUE_BINDING_RE.exec(clause);
@@ -1760,7 +1984,8 @@ const extractImportLines = (content) => {
 		results.push({
 			spec: match[2],
 			line: i + 1,
-			typeOnly: isTypeOnly(match[1])
+			typeOnly: isTypeOnly(match[1]),
+			namespace: NAMESPACE_RE.test(match[1])
 		});
 	}
 	return results;
@@ -1777,11 +2002,11 @@ const detectDuplicateImports = async (context) => {
 		} catch {
 			continue;
 		}
-		const imports = extractImportLines(content);
+		const imports = extractImportLines(maskComments(content, path.extname(filePath)));
 		if (imports.length < 2) continue;
 		const byBucket = /* @__PURE__ */ new Map();
 		for (const imp of imports) {
-			const key = `${imp.typeOnly ? "type" : "value"}\0${imp.spec}`;
+			const key = `${imp.namespace ? "ns" : imp.typeOnly ? "type" : "value"}\0${imp.spec}`;
 			const list = byBucket.get(key) ?? [];
 			list.push(imp);
 			byBucket.set(key, list);
@@ -1897,9 +2122,8 @@ const detectSwallowedExceptions = async (context) => {
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		for (const { pattern, languages, message } of SWALLOWED_EXCEPTION_PATTERNS) {
 			if (!languages.includes(ext)) continue;
-			let match;
 			const regex = new RegExp(pattern.source, pattern.flags + (pattern.flags.includes("g") ? "" : "g"));
-			while ((match = regex.exec(content)) !== null) {
+			for (const match of content.matchAll(regex)) {
 				if (isIntentionalIgnore(match[0], ext)) continue;
 				const line = content.slice(0, match.index).split("\n").length;
 				diagnostics.push({
@@ -1965,190 +2189,30 @@ const flagLibraryPanic = (lines, relPath, pkg, out) => {
 			severity: "warning",
 			message: `\`panic()\` in package \`${pkg}\` (non-main, non-test). Library code should return errors, not unwind the goroutine.`,
 			help: "Convert to `return fmt.Errorf(...)` (or a wrapped error) and let the caller decide. Reserve `panic` for genuinely-impossible states (corrupt internal invariants), and mark those with a comment so future readers know it's intentional.",
-			line: i + 1,
-			column: 1,
-			category: "AI Slop",
-			fixable: false
-		});
-	}
-};
-const detectGoPatterns = async (context) => {
-	const diagnostics = [];
-	const files = getSourceFiles(context);
-	for (const filePath of files) {
-		if (!GO_EXTENSIONS.has(path.extname(filePath))) continue;
-		if (isAutoGenerated(filePath)) continue;
-		if (filePath.endsWith("_test.go")) continue;
-		let content;
-		try {
-			content = fs.readFileSync(filePath, "utf-8");
-		} catch {
-			continue;
-		}
-		const lines = content.split("\n");
-		const pkg = detectPackageName(lines);
-		if (!pkg) continue;
-		flagLibraryPanic(lines, path.relative(context.rootDirectory, filePath), pkg, diagnostics);
-	}
-	return diagnostics;
-};
-
-//#endregion
-//#region src/engines/ai-slop/hardcoded-config.ts
-const SOURCE_EXTENSIONS = new Set([
-	".ts",
-	".tsx",
-	".js",
-	".jsx",
-	".mjs",
-	".cjs",
-	".py",
-	".go",
-	".rs",
-	".rb",
-	".java",
-	".php"
-]);
-const URL_LITERAL_RE = /(["'`])(https?:\/\/[^"'`\s<>]+)\1/g;
-const ID_LITERAL_RE = /(["'])([A-Za-z][A-Za-z0-9_-]{15,})\1/g;
-const ENV_REFERENCE_RE = /\b(?:process\.env|import\.meta\.env|Deno\.env|os\.environ|getenv|env\()\b/i;
-const DOC_URL_CONTEXT_RE = /\b(?:docs?|documentation|homepage|repository|bugs|license|readme|source|svgUrl|pageUrl|href|link|install)\b/i;
-const URL_CONFIG_CONTEXT_RE = /\b(?:api|base[_-]?url|baseUrl|endpoint|host|origin|webhook|callback|redirect|server|service|domain|url)\b/i;
-const ENVIRONMENT_HOST_RE = /(?:^|[.-])(?:api|app|admin|auth|staging|stage|prod|dev|sandbox|webhook|internal)(?:[.-]|$)|^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)$/i;
-const ID_CONTEXT_RE = /(?:^|[^A-Za-z0-9])(?:api[_-]?key|client[_-]?id|project[_-]?id|org(?:anization)?[_-]?id|workspace[_-]?id|tenant[_-]?id|price[_-]?id|product[_-]?id|customer[_-]?id|subscription[_-]?id|account[_-]?id|app[_-]?id|key|token|secret)(?:$|[^A-Za-z0-9])/i;
-const MIGRATION_PATH_RE$1 = /(?:^|[\\/])(?:migrations?|db[\\/]migrate)[\\/]/i;
-const PLACEHOLDER_HOSTS = new Set([
-	"example.com",
-	"example.org",
-	"example.net"
-]);
-const LOOPBACK_HOSTS = new Set([
-	"localhost",
-	"127.0.0.1",
-	"0.0.0.0",
-	"::1"
-]);
-const VENDOR_API_DOMAINS = [
-	"github.com",
-	"githubusercontent.com",
-	"googleapis.com",
-	"accounts.google.com",
-	"stripe.com",
-	"openai.com",
-	"anthropic.com",
-	"slack.com",
-	"twilio.com",
-	"sendgrid.com",
-	"mailgun.net",
-	"cloudflare.com",
-	"discord.com",
-	"telegram.org",
-	"login.microsoftonline.com",
-	"graph.microsoft.com",
-	"twitter.com",
-	"x.com",
-	"twimg.com",
-	"t.co",
-	"api.telegram.org"
-];
-const isVendorApiHost = (host) => VENDOR_API_DOMAINS.some((d) => host === d || host.endsWith(`.${d}`));
-const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
-const HARDCODED_URL_FINDING = {
-	rule: "ai-slop/hardcoded-url",
-	message: "Hardcoded environment URL in production code",
-	help: "Move deployment-specific URLs to environment variables or a typed config module. Keep only stable documentation/public links inline."
-};
-const HARDCODED_ID_FINDING = {
-	rule: "ai-slop/hardcoded-id",
-	message: "Hardcoded provider/project ID in production code",
-	help: "Move provider IDs, tenant IDs, price IDs, and similar deployment-specific identifiers to env/config so agents do not bake one environment into source."
-};
-const makeFinding = (filePath, line, spec) => ({
-	filePath,
-	engine: "ai-slop",
-	rule: spec.rule,
-	severity: "warning",
-	message: spec.message,
-	help: spec.help,
-	line,
-	column: 0,
-	category: "AI Slop",
-	fixable: false
-});
-const isCommentOnlyLine = (trimmed) => trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*");
-const commentStartsBefore = (line, index, ext) => {
-	const prefix = line.slice(0, index);
-	if (ext === ".py" || ext === ".rb") return prefix.includes("#");
-	if (ext === ".php") return prefix.includes("//") || prefix.includes("#");
-	return prefix.includes("//") || prefix.includes("/*");
-};
-const safeUrlHost = (urlText) => {
-	try {
-		return new URL(urlText).hostname.toLowerCase();
-	} catch {
-		return null;
-	}
-};
-const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
-const shouldFlagUrlLiteral = (line, urlText) => {
-	if (isEnvBackedLine(line)) return false;
-	const host = safeUrlHost(urlText);
-	if (!host) return false;
-	if (PLACEHOLDER_HOSTS.has(host)) return false;
-	if (LOOPBACK_HOSTS.has(host)) return false;
-	if (isVendorApiHost(host)) return false;
-	if (DOC_URL_CONTEXT_RE.test(line) && !ENVIRONMENT_HOST_RE.test(host)) return false;
-	return URL_CONFIG_CONTEXT_RE.test(line) || ENVIRONMENT_HOST_RE.test(host);
-};
-const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+$/;
-const hasUsefulIdShape = (value) => {
-	if (PLACEHOLDER_ID_RE.test(value)) return false;
-	if (ENV_VAR_NAME_RE.test(value)) return false;
-	if (/^https?:\/\//i.test(value)) return false;
-	if (/^[A-Za-z]+$/.test(value)) return false;
-	return /[0-9]/.test(value);
-};
-const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
-	const diagnostics = [];
-	if (isCommentOnlyLine(line.trim())) return diagnostics;
-	URL_LITERAL_RE.lastIndex = 0;
-	let urlMatch;
-	while ((urlMatch = URL_LITERAL_RE.exec(line)) !== null) {
-		const urlText = urlMatch[2];
-		if (commentStartsBefore(line, urlMatch.index, ext)) continue;
-		if (!shouldFlagUrlLiteral(line, urlText)) continue;
-		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_URL_FINDING));
-	}
-	if (!ID_CONTEXT_RE.test(line) || isEnvBackedLine(line) || DOC_URL_CONTEXT_RE.test(line)) return diagnostics;
-	ID_LITERAL_RE.lastIndex = 0;
-	let idMatch;
-	while ((idMatch = ID_LITERAL_RE.exec(line)) !== null) {
-		const value = idMatch[2];
-		if (commentStartsBefore(line, idMatch.index, ext)) continue;
-		if (!hasUsefulIdShape(value)) continue;
-		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_ID_FINDING));
-	}
-	return diagnostics;
-};
-const scanFileForConfigLiterals = (content, relativePath, ext) => {
-	if (!SOURCE_EXTENSIONS.has(ext)) return [];
-	if (isNonProductionPath(relativePath)) return [];
-	if (MIGRATION_PATH_RE$1.test(relativePath)) return [];
-	return content.split("\n").flatMap((line, index) => scanLineForConfigLiterals(line, relativePath, ext, index + 1));
+			line: i + 1,
+			column: 1,
+			category: "AI Slop",
+			fixable: false
+		});
+	}
 };
-const detectHardcodedConfigLiterals = async (context) => {
+const detectGoPatterns = async (context) => {
 	const diagnostics = [];
-	for (const filePath of getSourceFiles(context)) {
+	const files = getSourceFiles(context);
+	for (const filePath of files) {
+		if (!GO_EXTENSIONS.has(path.extname(filePath))) continue;
 		if (isAutoGenerated(filePath)) continue;
+		if (filePath.endsWith("_test.go")) continue;
 		let content;
 		try {
 			content = fs.readFileSync(filePath, "utf-8");
 		} catch {
 			continue;
 		}
-		const relativePath = path.relative(context.rootDirectory, filePath);
-		const ext = path.extname(filePath);
-		diagnostics.push(...scanFileForConfigLiterals(content, relativePath, ext));
+		const lines = content.split("\n");
+		const pkg = detectPackageName(lines);
+		if (!pkg) continue;
+		flagLibraryPanic(lines, path.relative(context.rootDirectory, filePath), pkg, diagnostics);
 	}
 	return diagnostics;
 };
@@ -2250,15 +2314,18 @@ const readWorkspaceGlobs = (rootDir, rootPkg) => {
 	}
 	return globs;
 };
+const readWorkspaceEntries = (dir) => {
+	try {
+		return fs.readdirSync(dir, { withFileTypes: true });
+	} catch {
+		return [];
+	}
+};
 const expandWorkspaceDirs = (rootDir, globs) => {
 	const dirs = [];
 	for (const glob of globs) if (glob.endsWith("/*")) {
 		const parent = path.join(rootDir, glob.slice(0, -2));
-		try {
-			for (const entry of fs.readdirSync(parent, { withFileTypes: true })) if (entry.isDirectory()) dirs.push(path.join(parent, entry.name));
-		} catch {
-			continue;
-		}
+		for (const entry of readWorkspaceEntries(parent)) if (entry.isDirectory()) dirs.push(path.join(parent, entry.name));
 	} else if (!glob.includes("*")) dirs.push(path.join(rootDir, glob));
 	return dirs;
 };
@@ -2891,6 +2958,241 @@ const detectHallucinatedImports = async (context) => {
 	return diagnostics;
 };
 
+//#endregion
+//#region src/engines/ai-slop/hardcoded-config.ts
+const SOURCE_EXTENSIONS = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs",
+	".py",
+	".go",
+	".rs",
+	".rb",
+	".java",
+	".php"
+]);
+const URL_LITERAL_RE = /(["'`])(https?:\/\/[^"'`\s<>]+)\1/g;
+const ID_LITERAL_RE = /(["'])([A-Za-z][A-Za-z0-9_-]{15,})\1/g;
+const ENV_REFERENCE_RE = /\b(?:process\.env|import\.meta\.env|Deno\.env|os\.environ|getenv|env\()\b/i;
+const DOC_URL_CONTEXT_RE = /\b(?:docs?|documentation|homepage|repository|bugs|license|readme|source|svgUrl|pageUrl|href|link|install)\b/i;
+const URL_CONFIG_CONTEXT_RE = /\b(?:api|base[_-]?url|baseUrl|endpoint|host|origin|webhook|callback|redirect|server|service|domain|url)\b/i;
+const ENVIRONMENT_HOST_RE = /(?:^|[.-])(?:api|app|admin|auth|staging|stage|prod|dev|sandbox|webhook|internal)(?:[.-]|$)|^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)$/i;
+const ID_CONTEXT_RE = /(?:^|[^A-Za-z0-9])(?:api[_-]?key|client[_-]?id|project[_-]?id|org(?:anization)?[_-]?id|workspace[_-]?id|tenant[_-]?id|price[_-]?id|product[_-]?id|customer[_-]?id|subscription[_-]?id|account[_-]?id|app[_-]?id|key|token|secret)(?:$|[^A-Za-z0-9])/i;
+const MIGRATION_PATH_RE$1 = /(?:^|[\\/])(?:migrations?|db[\\/]migrate)[\\/]/i;
+const PLACEHOLDER_HOSTS = new Set([
+	"example.com",
+	"example.org",
+	"example.net"
+]);
+const LOOPBACK_HOSTS = new Set([
+	"localhost",
+	"127.0.0.1",
+	"0.0.0.0",
+	"::1"
+]);
+const VENDOR_API_DOMAINS = [
+	"github.com",
+	"githubusercontent.com",
+	"googleapis.com",
+	"accounts.google.com",
+	"stripe.com",
+	"openai.com",
+	"anthropic.com",
+	"slack.com",
+	"twilio.com",
+	"sendgrid.com",
+	"mailgun.net",
+	"cloudflare.com",
+	"discord.com",
+	"telegram.org",
+	"login.microsoftonline.com",
+	"graph.microsoft.com",
+	"twitter.com",
+	"x.com",
+	"twimg.com",
+	"t.co",
+	"api.telegram.org"
+];
+const isVendorApiHost = (host) => VENDOR_API_DOMAINS.some((d) => host === d || host.endsWith(`.${d}`));
+const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
+const HARDCODED_URL_FINDING = {
+	rule: "ai-slop/hardcoded-url",
+	message: "Hardcoded environment URL in production code",
+	help: "Move deployment-specific URLs to environment variables or a typed config module. Keep only stable documentation/public links inline."
+};
+const HARDCODED_ID_FINDING = {
+	rule: "ai-slop/hardcoded-id",
+	message: "Hardcoded provider/project ID in production code",
+	help: "Move provider IDs, tenant IDs, price IDs, and similar deployment-specific identifiers to env/config so agents do not bake one environment into source."
+};
+const makeFinding = (filePath, line, spec) => ({
+	filePath,
+	engine: "ai-slop",
+	rule: spec.rule,
+	severity: "warning",
+	message: spec.message,
+	help: spec.help,
+	line,
+	column: 0,
+	category: "AI Slop",
+	fixable: false
+});
+const isCommentOnlyLine = (trimmed) => trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*");
+const commentStartsBefore = (line, index, ext) => {
+	const prefix = line.slice(0, index);
+	if (ext === ".py" || ext === ".rb") return prefix.includes("#");
+	if (ext === ".php") return prefix.includes("//") || prefix.includes("#");
+	return prefix.includes("//") || prefix.includes("/*");
+};
+const safeUrlHost = (urlText) => {
+	try {
+		return new URL(urlText).hostname.toLowerCase();
+	} catch {
+		return null;
+	}
+};
+const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
+const shouldFlagUrlLiteral = (line, urlText) => {
+	if (isEnvBackedLine(line)) return false;
+	const host = safeUrlHost(urlText);
+	if (!host) return false;
+	if (PLACEHOLDER_HOSTS.has(host)) return false;
+	if (LOOPBACK_HOSTS.has(host)) return false;
+	if (isVendorApiHost(host)) return false;
+	if (DOC_URL_CONTEXT_RE.test(line) && !ENVIRONMENT_HOST_RE.test(host)) return false;
+	return URL_CONFIG_CONTEXT_RE.test(line) || ENVIRONMENT_HOST_RE.test(host);
+};
+const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+$/;
+const hasUsefulIdShape = (value) => {
+	if (PLACEHOLDER_ID_RE.test(value)) return false;
+	if (ENV_VAR_NAME_RE.test(value)) return false;
+	if (/^https?:\/\//i.test(value)) return false;
+	if (/^[A-Za-z]+$/.test(value)) return false;
+	return /[0-9]/.test(value);
+};
+const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
+	const diagnostics = [];
+	if (isCommentOnlyLine(line.trim())) return diagnostics;
+	for (const urlMatch of line.matchAll(URL_LITERAL_RE)) {
+		const urlText = urlMatch[2];
+		if (commentStartsBefore(line, urlMatch.index, ext)) continue;
+		if (!shouldFlagUrlLiteral(line, urlText)) continue;
+		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_URL_FINDING));
+	}
+	if (!ID_CONTEXT_RE.test(line) || isEnvBackedLine(line) || DOC_URL_CONTEXT_RE.test(line)) return diagnostics;
+	for (const idMatch of line.matchAll(ID_LITERAL_RE)) {
+		const value = idMatch[2];
+		if (commentStartsBefore(line, idMatch.index, ext)) continue;
+		if (!hasUsefulIdShape(value)) continue;
+		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_ID_FINDING));
+	}
+	return diagnostics;
+};
+const scanFileForConfigLiterals = (content, relativePath, ext) => {
+	if (!SOURCE_EXTENSIONS.has(ext)) return [];
+	if (isNonProductionPath(relativePath)) return [];
+	if (MIGRATION_PATH_RE$1.test(relativePath)) return [];
+	return content.split("\n").flatMap((line, index) => scanLineForConfigLiterals(line, relativePath, ext, index + 1));
+};
+const detectHardcodedConfigLiterals = async (context) => {
+	const diagnostics = [];
+	for (const filePath of getSourceFiles(context)) {
+		if (isAutoGenerated(filePath)) continue;
+		let content;
+		try {
+			content = fs.readFileSync(filePath, "utf-8");
+		} catch {
+			continue;
+		}
+		const relativePath = path.relative(context.rootDirectory, filePath);
+		const ext = path.extname(filePath);
+		diagnostics.push(...scanFileForConfigLiterals(maskComments(content, ext), relativePath, ext));
+	}
+	return diagnostics;
+};
+
+//#endregion
+//#region src/utils/suppress.ts
+const DIRECTIVE_RE = /(?:\/\/|\/\*|#|<!--|\*)\s*aislop-ignore-(next-line|line|file)\b([^\n]*)/;
+const isAislopDirectiveLine = (line) => DIRECTIVE_RE.test(line);
+const parseDirective = (rest) => {
+	const tokens = rest.split("--")[0].match(/[A-Za-z0-9@][\w@/.-]*/g) ?? [];
+	if (tokens.length === 0) return {
+		rules: /* @__PURE__ */ new Set(),
+		all: true
+	};
+	return {
+		rules: new Set(tokens),
+		all: false
+	};
+};
+const covers = (directive, rule) => directive.all || [...directive.rules].some((r) => r === rule || rule.endsWith(`/${r}`));
+const parseFileDirectives = (content) => {
+	const lines = content.split(/\r?\n/);
+	const file = [];
+	const byLine = /* @__PURE__ */ new Map();
+	const addLine = (target, directive) => {
+		const list = byLine.get(target) ?? [];
+		list.push(directive);
+		byLine.set(target, list);
+	};
+	for (let i = 0; i < lines.length; i++) {
+		const match = DIRECTIVE_RE.exec(lines[i]);
+		if (!match) continue;
+		const scope = match[1];
+		const directive = parseDirective(match[2] ?? "");
+		if (scope === "file") file.push(directive);
+		else if (scope === "next-line") addLine(i + 2, directive);
+		else addLine(i + 1, directive);
+	}
+	return {
+		file,
+		byLine
+	};
+};
+const applySuppressions = (results, rootDirectory) => {
+	const cache = /* @__PURE__ */ new Map();
+	let suppressedCount = 0;
+	const load = (filePath) => {
+		const cached = cache.get(filePath);
+		if (cached !== void 0) return cached;
+		const absolute = path.isAbsolute(filePath) ? filePath : path.join(rootDirectory, filePath);
+		let parsed = null;
+		try {
+			parsed = parseFileDirectives(fs.readFileSync(absolute, "utf-8"));
+		} catch {
+			parsed = null;
+		}
+		cache.set(filePath, parsed);
+		return parsed;
+	};
+	const isSuppressed = (diagnostic) => {
+		const directives = load(diagnostic.filePath);
+		if (!directives) return false;
+		if (directives.file.some((d) => covers(d, diagnostic.rule))) return true;
+		return (directives.byLine.get(diagnostic.line) ?? []).some((d) => covers(d, diagnostic.rule));
+	};
+	return {
+		results: results.map((result) => {
+			const kept = result.diagnostics.filter((diagnostic) => {
+				if (isSuppressed(diagnostic)) {
+					suppressedCount += 1;
+					return false;
+				}
+				return true;
+			});
+			return {
+				...result,
+				diagnostics: kept
+			};
+		}),
+		suppressedCount
+	};
+};
+
 //#endregion
 //#region src/engines/ai-slop/comment-blocks.ts
 const stripJsdocLine = (line) => line.replace(/^\s*\/\*\*+\s?/, "").replace(/\s*\*+\/\s*$/, "").replace(/^\s*\*\s?/, "").trim();
@@ -2914,6 +3216,7 @@ const getCommentSyntax = (ext) => {
 };
 const getMatchedLinePrefix = (line, syntax) => {
 	const trimmed = line.trimStart();
+	if (isAislopDirectiveLine(trimmed)) return null;
 	for (const prefix of syntax.linePrefixes) {
 		if (!trimmed.startsWith(prefix)) continue;
 		if (prefix === "#" && trimmed.startsWith("#!")) return null;
@@ -3654,7 +3957,7 @@ const detectRustPatterns = async (context) => {
 
 //#endregion
 //#region src/engines/ai-slop/silent-recovery.ts
-const JS_EXTS$1 = new Set([
+const JS_EXTS = new Set([
 	".ts",
 	".tsx",
 	".js",
@@ -3713,9 +4016,7 @@ const isLogOnlyBody = (body) => {
 };
 const detectJsSilentRecovery = (content, relPath) => {
 	const out = [];
-	CATCH_HEAD_RE.lastIndex = 0;
-	let match;
-	while ((match = CATCH_HEAD_RE.exec(content)) !== null) {
+	for (const match of content.matchAll(CATCH_HEAD_RE)) {
 		const body = extractCatchBody(content, match.index + match[0].length - 1);
 		if (body === null) continue;
 		if (!isLogOnlyBody(body)) continue;
@@ -3783,7 +4084,7 @@ const detectSilentRecovery = async (context) => {
 	for (const filePath of files) {
 		if (isAutoGenerated(filePath)) continue;
 		const ext = path.extname(filePath);
-		const isJs = JS_EXTS$1.has(ext);
+		const isJs = JS_EXTS.has(ext);
 		if (!isJs && !(ext === ".py")) continue;
 		const relPath = path.relative(context.rootDirectory, filePath);
 		if (isNonProductionPath(relPath)) continue;
@@ -3892,18 +4193,22 @@ const extractPyImportedSymbols = (lines) => {
 			}
 			continue;
 		}
-		const importMatch = trimmed.match(/^import\s+([\w.]+)(?:\s+as\s+(\w+))?/);
+		const importMatch = trimmed.match(/^import\s+(.+)/);
 		if (importMatch) {
 			importLines.add(i);
-			const alias = importMatch[2];
-			if (alias && alias === importMatch[1]) continue;
-			const simpleName = (alias ?? importMatch[1]).split(".")[0];
-			if (simpleName && /^\w+$/.test(simpleName)) symbols.push({
-				name: simpleName,
-				line: i + 1,
-				isDefault: false,
-				isNamespace: true
-			});
+			for (const clause of importMatch[1].replace(/#.*$/, "").split(",")) {
+				const clauseMatch = clause.trim().match(/^([\w.]+)(?:\s+as\s+(\w+))?/);
+				if (!clauseMatch) continue;
+				const alias = clauseMatch[2];
+				if (alias && alias === clauseMatch[1]) continue;
+				const simpleName = (alias ?? clauseMatch[1]).split(".")[0];
+				if (simpleName && /^\w+$/.test(simpleName)) symbols.push({
+					name: simpleName,
+					line: i + 1,
+					isDefault: false,
+					isNamespace: true
+				});
+			}
 		}
 	}
 	return {
@@ -3913,8 +4218,7 @@ const extractPyImportedSymbols = (lines) => {
 };
 const isSymbolUsed = (name, content, importLines, lines) => {
 	const pattern = new RegExp(`\\b${name}\\b`, "g");
-	let match;
-	while ((match = pattern.exec(content)) !== null) {
+	for (const match of content.matchAll(pattern)) {
 		const lineIndex = content.slice(0, match.index).split("\n").length - 1;
 		if (!importLines.has(lineIndex)) return true;
 	}
@@ -4015,6 +4319,18 @@ const aiSlopEngine = {
 
 //#endregion
 //#region src/engines/architecture/matchers.ts
+const REGEX_SPECIAL_CHARS = new Set([
+	".",
+	"+",
+	"^",
+	"$",
+	"{",
+	"}",
+	"(",
+	")",
+	"|",
+	"\\"
+]);
 const minimatch = (filePath, pattern) => {
 	let regex = "";
 	let i = 0;
@@ -4039,7 +4355,7 @@ const minimatch = (filePath, pattern) => {
 				regex += pattern.slice(i, closeIndex + 1);
 				i = closeIndex + 1;
 			}
-		} else if (".+^${}()|\\".includes(ch)) {
+		} else if (REGEX_SPECIAL_CHARS.has(ch)) {
 			regex += `\\${ch}`;
 			i++;
 		} else {
@@ -4059,27 +4375,15 @@ const extractImports = (content, ext) => {
 		".mjs",
 		".cjs"
 	].includes(ext)) {
-		const esPattern = /(?:import|from)\s+["']([^"']+)["']/g;
-		let match;
-		while ((match = esPattern.exec(content)) !== null) imports.push(match[1]);
-		const reqPattern = /require\s*\(\s*["']([^"']+)["']\s*\)/g;
-		while ((match = reqPattern.exec(content)) !== null) imports.push(match[1]);
-	}
-	if (ext === ".py") {
-		const pyPattern = /(?:from|import)\s+([\w.]+)/g;
-		let match;
-		while ((match = pyPattern.exec(content)) !== null) imports.push(match[1]);
+		for (const match of content.matchAll(/(?:import|from)\s+["']([^"']+)["']/g)) imports.push(match[1]);
+		for (const match of content.matchAll(/require\s*\(\s*["']([^"']+)["']\s*\)/g)) imports.push(match[1]);
 	}
+	if (ext === ".py") for (const match of content.matchAll(/(?:from|import)\s+([\w.]+)/g)) imports.push(match[1]);
 	if (ext === ".go") {
-		const goSingleImport = /^\s*import\s+"([^"]+)"/gm;
-		let match;
-		while ((match = goSingleImport.exec(content)) !== null) imports.push(match[1]);
-		const goMultiImport = /import\s*\(([^)]*)\)/gs;
-		while ((match = goMultiImport.exec(content)) !== null) {
+		for (const match of content.matchAll(/^\s*import\s+"([^"]+)"/gm)) imports.push(match[1]);
+		for (const match of content.matchAll(/import\s*\(([^)]*)\)/gs)) {
 			const block = match[1];
-			const pkgPattern = /"([^"]+)"/g;
-			let pkgMatch;
-			while ((pkgMatch = pkgPattern.exec(block)) !== null) imports.push(pkgMatch[1]);
+			for (const pkgMatch of block.matchAll(/"([^"]+)"/g)) imports.push(pkgMatch[1]);
 		}
 	}
 	return imports;
@@ -4206,10 +4510,10 @@ const architectureEngine = {
 //#endregion
 //#region src/engines/code-quality/function-boundaries.ts
 const PYTHON_CONTROL_FLOW_RE = /^\s*(?:if|for|while|with|try|except|else|elif|finally|def|class)\b/;
-const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
-const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
-const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
-const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
+const ARROW_BLOCK_RE = /=>\s*\{/;
+const ARROW_END_RE = /=>\s*$/;
+const BRACE_START_RE = /^\s*\{/;
+const NEW_STATEMENT_RE = /^(?:export\s+)?(?:const|let|var|function|class)\s/;
 const isControlFlowBrace = (lineText, braceIndex) => {
 	const before = lineText.substring(0, braceIndex).trimEnd();
 	if (before.endsWith(")")) return true;
@@ -4263,12 +4567,92 @@ const findBraceFunctionEnd = (lines, startIndex) => {
 		maxNesting
 	};
 };
-const findPythonFunctionEnd = (lines, startIndex) => {
-	const baseIndent = lines[startIndex].match(/^(\s*)/)?.[1].length ?? 0;
-	let endLine = startIndex;
+const extractPythonSignature = (lines, startIndex) => {
+	let depth = 0;
+	let started = false;
+	let params = "";
+	for (let j = startIndex; j < lines.length; j++) {
+		const l = lines[j];
+		for (let ci = 0; ci < l.length; ci++) {
+			const ch = l[ci];
+			if (ch === "(") {
+				depth++;
+				if (depth === 1 && !started) {
+					started = true;
+					continue;
+				}
+			} else if (ch === ")") {
+				depth--;
+				if (depth === 0) return {
+					params,
+					sigEndIndex: j
+				};
+			}
+			if (started) params += ch;
+		}
+		if (started) params += " ";
+	}
+	return {
+		params,
+		sigEndIndex: startIndex
+	};
+};
+const countPythonParams = (signature) => {
+	let depth = 0;
+	const parts = [];
+	let current = "";
+	for (const ch of signature) {
+		if (ch === "(" || ch === "[" || ch === "{") depth++;
+		else if (ch === ")" || ch === "]" || ch === "}") depth--;
+		if (ch === "," && depth === 0) {
+			parts.push(current);
+			current = "";
+			continue;
+		}
+		current += ch;
+	}
+	parts.push(current);
+	let count = 0;
+	for (const raw of parts) {
+		const p = raw.trim();
+		if (p.length === 0 || p === "*" || p === "/") continue;
+		if (p.startsWith("*")) continue;
+		if (p.includes("=")) continue;
+		const name = p.split(":")[0].trim();
+		if (name === "self" || name === "cls") continue;
+		count++;
+	}
+	return count;
+};
+const countPythonBodyCodeLines = (lines, sigEndIndex, endLine) => {
+	let count = 0;
+	let inDoc = false;
+	let delim = "";
+	for (let j = sigEndIndex + 1; j <= endLine && j < lines.length; j++) {
+		const t = lines[j].trim();
+		if (inDoc) {
+			if (t.includes(delim)) inDoc = false;
+			continue;
+		}
+		if (t === "" || t.startsWith("#")) continue;
+		const opener = t.startsWith("\"\"\"") ? "\"\"\"" : t.startsWith("'''") ? "'''" : "";
+		if (opener) {
+			if (!t.slice(3).includes(opener)) {
+				inDoc = true;
+				delim = opener;
+			}
+			continue;
+		}
+		count++;
+	}
+	return count;
+};
+const findPythonFunctionEnd = (lines, defIndex, bodyStartIndex) => {
+	const baseIndent = lines[defIndex].match(/^(\s*)/)?.[1].length ?? 0;
+	let endLine = bodyStartIndex;
 	let maxNesting = 0;
 	const controlIndentStack = [];
-	for (let j = startIndex + 1; j < lines.length; j++) {
+	for (let j = bodyStartIndex + 1; j < lines.length; j++) {
 		const l = lines[j];
 		if (l.trim() === "") {
 			endLine = j;
@@ -4290,7 +4674,10 @@ const findPythonFunctionEnd = (lines, startIndex) => {
 	};
 };
 const findFunctionEnd = (lines, startIndex, isPython) => {
-	if (isPython) return findPythonFunctionEnd(lines, startIndex);
+	if (isPython) {
+		const { sigEndIndex } = extractPythonSignature(lines, startIndex);
+		return findPythonFunctionEnd(lines, startIndex, sigEndIndex);
+	}
 	return findBraceFunctionEnd(lines, startIndex);
 };
 const isBlockArrow = (lines, startIndex) => {
@@ -4312,14 +4699,14 @@ const countTemplateLines = (bodyLines) => {
 	let templateLineCount = 0;
 	for (const line of bodyLines) {
 		const startedInside = insideTemplate;
-		let escape = false;
+		let escaped = false;
 		for (const ch of line) {
-			if (escape) {
-				escape = false;
+			if (escaped) {
+				escaped = false;
 				continue;
 			}
 			if (ch === "\\") {
-				escape = true;
+				escaped = true;
 				continue;
 			}
 			if (ch === "`") insideTemplate = !insideTemplate;
@@ -4355,7 +4742,7 @@ const FUNCTION_PATTERNS = [
 		]
 	},
 	{
-		regex: /^\s*def\s+(\w+)\s*\(([^)]*)\)/,
+		regex: /^\s*(?:async\s+)?def\s+(\w+)\s*\(/,
 		langFilter: [".py"]
 	},
 	{
@@ -4412,14 +4799,23 @@ const analyzeFunctions = (content, ext) => {
 		const isPython = fnMatch.patternIndex === 2;
 		if (fnMatch.patternIndex === 1 && !isBlockArrow(lines, i)) continue;
 		const { endLine, maxNesting } = findFunctionEnd(lines, i, isPython);
-		const bodyLines = lines.slice(i + 1, endLine);
-		const templateLines = isPython ? 0 : countTemplateLines(bodyLines);
+		let templateLines;
+		let paramCount;
+		if (isPython) {
+			const sig = extractPythonSignature(lines, i);
+			const codeLines = countPythonBodyCodeLines(lines, sig.sigEndIndex, endLine);
+			templateLines = endLine - i + 1 - codeLines;
+			paramCount = countPythonParams(sig.params);
+		} else {
+			templateLines = countTemplateLines(lines.slice(i + 1, endLine));
+			paramCount = countParams(fnMatch.params);
+		}
 		functions.push({
 			name: fnMatch.name,
 			startLine: i + 1,
 			lineCount: endLine - i + 1,
 			maxNesting,
-			paramCount: countParams(fnMatch.params),
+			paramCount,
 			templateLines
 		});
 	}
@@ -5354,9 +5750,7 @@ const runRuffFormat = async (context) => {
 };
 const parseRuffFormatOutput = (output, rootDir) => {
 	const diagnostics = [];
-	const filePattern = /^--- (.+)$/gm;
-	let match;
-	while ((match = filePattern.exec(output)) !== null) {
+	for (const match of output.matchAll(/^--- (.+)$/gm)) {
 		const filePath = getRuffDiagnosticPath(rootDir, match[1]);
 		diagnostics.push({
 			filePath,
@@ -5390,10 +5784,10 @@ const formatEngine = {
 		const { languages, installedTools } = context;
 		const promises = [];
 		if (languages.includes("typescript") || languages.includes("javascript")) promises.push(runBiomeFormat(context));
-		if (languages.includes("python") && installedTools["ruff"]) promises.push(runRuffFormat(context));
-		if (languages.includes("go") && installedTools["gofmt"]) promises.push(runGofmt(context));
-		if (languages.includes("rust") && installedTools["rustfmt"]) promises.push(runGenericFormatter(context, "rust"));
-		if (languages.includes("ruby") && installedTools["rubocop"]) promises.push(runGenericFormatter(context, "ruby"));
+		if (languages.includes("python") && installedTools.ruff) promises.push(runRuffFormat(context));
+		if (languages.includes("go") && installedTools.gofmt) promises.push(runGofmt(context));
+		if (languages.includes("rust") && installedTools.rustfmt) promises.push(runGenericFormatter(context, "rust"));
+		if (languages.includes("ruby") && installedTools.rubocop) promises.push(runGenericFormatter(context, "ruby"));
 		if (languages.includes("php") && installedTools["php-cs-fixer"]) promises.push(runGenericFormatter(context, "php"));
 		const results = await Promise.allSettled(promises);
 		for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
@@ -5829,6 +6223,8 @@ const createOxlintConfig = (options) => {
 	if (options.mode === "fix") {
 		rules["no-unused-vars"] = "off";
 		rules["react-hooks/exhaustive-deps"] = "off";
+		rules["jsx-a11y/no-aria-hidden-on-focusable"] = "off";
+		rules["unicorn/no-useless-fallback-in-spread"] = "off";
 	}
 	const plugins = [
 		"import",
@@ -5993,9 +6389,7 @@ const collectAmbientGlobals = (rootDir) => {
 		if (!relativePath.endsWith(".d.ts")) continue;
 		const content = readTextFile$1(path.join(rootDir, relativePath));
 		if (!content) continue;
-		AMBIENT_GLOBAL_RE.lastIndex = 0;
-		let match;
-		while ((match = AMBIENT_GLOBAL_RE.exec(content)) !== null) globals.add(match[1]);
+		for (const match of content.matchAll(AMBIENT_GLOBAL_RE)) globals.add(match[1]);
 	}
 	const deps = collectPackageNames(rootDir);
 	if (deps.has("@types/bun") || deps.has("bun-types")) globals.add("Bun");
@@ -6346,10 +6740,10 @@ const lintEngine = {
 			if (context.config.lint.typecheck) promises.push(import("./typecheck-wVSohmOX.js").then((mod) => mod.runTypecheck(context)));
 		}
 		if (context.frameworks.includes("expo")) promises.push(Promise.resolve().then(() => expo_doctor_exports).then((mod) => mod.runExpoDoctor(context)));
-		if (languages.includes("python") && installedTools["ruff"]) promises.push(runRuffLint(context));
+		if (languages.includes("python") && installedTools.ruff) promises.push(runRuffLint(context));
 		if (languages.includes("go") && installedTools["golangci-lint"]) promises.push(runGolangciLint(context));
-		if (languages.includes("rust") && installedTools["cargo"]) promises.push(runGenericLinter(context, "rust"));
-		if (languages.includes("ruby") && installedTools["rubocop"]) promises.push(runGenericLinter(context, "ruby"));
+		if (languages.includes("rust") && installedTools.cargo) promises.push(runGenericLinter(context, "rust"));
+		if (languages.includes("ruby") && installedTools.rubocop) promises.push(runGenericLinter(context, "ruby"));
 		const results = await Promise.allSettled(promises);
 		for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
 		return {
@@ -6379,7 +6773,7 @@ const runDependencyAudit = async (context) => {
 		else if (fs.existsSync(path.join(context.rootDirectory, "package-lock.json")) || fs.existsSync(path.join(context.rootDirectory, "package.json"))) promises.push(runNpmAudit(context.rootDirectory, timeout));
 	}
 	if (context.languages.includes("python") && context.installedTools["pip-audit"]) promises.push(runPipAudit(context.rootDirectory, timeout));
-	if (context.languages.includes("go") && context.installedTools["govulncheck"]) promises.push(runGovulncheck(context.rootDirectory, timeout));
+	if (context.languages.includes("go") && context.installedTools.govulncheck) promises.push(runGovulncheck(context.rootDirectory, timeout));
 	if (context.languages.includes("rust")) promises.push(runCargoAudit(context.rootDirectory, timeout));
 	const results = await Promise.allSettled(promises);
 	for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
@@ -6484,9 +6878,12 @@ const parseLegacyAdvisories = (advisories, source) => {
 	for (const [key, advisory] of Object.entries(advisories)) upsertVuln(bucket, advisory.module_name ?? advisory.name ?? advisory.package ?? key, (advisory.severity ?? "moderate").toLowerCase(), advisory.recommendation ?? advisory.title ?? "");
 	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
+const carriesAdvisory = (vulnerability) => Array.isArray(vulnerability.via) && vulnerability.via.some((entry) => entry !== null && typeof entry === "object");
 const parseModernVulnerabilities = (vulnerabilities, source) => {
 	const bucket = /* @__PURE__ */ new Map();
+	const hasRootCauses = Object.values(vulnerabilities).some(carriesAdvisory);
 	for (const [packageName, vulnerability] of Object.entries(vulnerabilities)) {
+		if (hasRootCauses && !carriesAdvisory(vulnerability)) continue;
 		const severity = (vulnerability.severity ?? "moderate").toLowerCase();
 		const fixAvailable = vulnerability.fixAvailable;
 		const isDirect = vulnerability.isDirect === true;
@@ -6568,271 +6965,65 @@ const runGovulncheck = async (rootDir, timeout) => {
 			cwd: rootDir,
 			timeout
 		});
-		if (!result.stdout) return [];
-		return parseGovulncheckOutput(result.stdout);
-	} catch {
-		return [];
-	}
-};
-const toGovulnDiagnostic = (entry) => {
-	if (!entry.vulnerability) return null;
-	return {
-		filePath: "go.mod",
-		engine: "security",
-		rule: "security/vulnerable-dependency",
-		severity: "error",
-		message: `Go vulnerability: ${entry.vulnerability.id ?? "unknown"}`,
-		help: withFixHint(entry.vulnerability.details ?? ""),
-		line: 0,
-		column: 0,
-		category: "Security",
-		fixable: false
-	};
-};
-const parseGovulncheckOutput = (output) => {
-	const diagnostics = [];
-	for (const line of output.split("\n")) {
-		if (!line.startsWith("{")) continue;
-		let parsed = null;
-		try {
-			parsed = JSON.parse(line);
-		} catch {
-			parsed = null;
-		}
-		if (!parsed) continue;
-		const diagnostic = toGovulnDiagnostic(parsed);
-		if (diagnostic) diagnostics.push(diagnostic);
-	}
-	return diagnostics;
-};
-const runCargoAudit = async (rootDir, timeout) => {
-	try {
-		const result = await runSubprocess("cargo", ["audit", "--json"], {
-			cwd: rootDir,
-			timeout
-		});
-		if (!result.stdout) return [];
-		return (JSON.parse(result.stdout).vulnerabilities?.list ?? []).map((v) => ({
-			filePath: "Cargo.toml",
-			engine: "security",
-			rule: "security/vulnerable-dependency",
-			severity: "error",
-			message: `Rust vulnerability: ${v.advisory?.id ?? "unknown"}`,
-			help: withFixHint(v.advisory?.title ?? ""),
-			line: 0,
-			column: 0,
-			category: "Security",
-			fixable: false
-		}));
-	} catch {
-		return [];
-	}
-};
-
-//#endregion
-//#region src/utils/source-masker.ts
-const JS_EXTS = new Set([
-	".ts",
-	".tsx",
-	".js",
-	".jsx",
-	".mjs",
-	".cjs"
-]);
-const PY_EXTS = new Set([".py"]);
-const RB_EXTS = new Set([".rb"]);
-const PHP_EXTS = new Set([".php"]);
-const familyForExt = (ext) => {
-	if (JS_EXTS.has(ext)) return "js";
-	if (PY_EXTS.has(ext)) return "py";
-	if (RB_EXTS.has(ext)) return "rb";
-	if (PHP_EXTS.has(ext)) return "php";
-	return "none";
-};
-const maskStringsAndComments = (content, ext) => {
-	const family = familyForExt(ext);
-	if (family === "none") return content;
-	if (family === "js") return maskJs(content);
-	return maskSimple(content, family);
-};
-const handleQuotesAndComments = (content, i, tplStack, mask) => {
-	const len = content.length;
-	const c = content[i];
-	const next = content[i + 1];
-	if (c === "\"" || c === "'") {
-		const strStart = i;
-		const end = consumeQuotedString(content, i, c);
-		mask(strStart + 1, end - 1);
-		return {
-			handled: true,
-			nextI: end
-		};
-	}
-	if (c === "`") {
-		const scan = consumeTemplateString(content, i + 1);
-		mask(i + 1, scan.maskEnd);
-		if (scan.openedInterp) tplStack.push(0);
-		return {
-			handled: true,
-			nextI: scan.resumeAt
-		};
-	}
-	if (c === "/" && next === "/") {
-		const strStart = i;
-		let k = i;
-		while (k < len && content[k] !== "\n") k++;
-		mask(strStart, k);
-		return {
-			handled: true,
-			nextI: k
-		};
-	}
-	if (c === "/" && next === "*") {
-		const strStart = i;
-		let k = i + 2;
-		while (k < len - 1 && !(content[k] === "*" && content[k + 1] === "/")) k++;
-		if (k < len - 1) k += 2;
-		mask(strStart, k);
-		return {
-			handled: true,
-			nextI: k
-		};
-	}
-	return {
-		handled: false,
-		nextI: i
-	};
-};
-const maskJs = (content) => {
-	const out = content.split("");
-	const len = content.length;
-	const tplStack = [];
-	let i = 0;
-	const mask = (start, end) => {
-		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
-	};
-	while (i < len) {
-		const c = content[i];
-		if (tplStack.length > 0) {
-			if (c === "{") {
-				tplStack[tplStack.length - 1]++;
-				i++;
-				continue;
-			}
-			if (c === "}") {
-				if (tplStack[tplStack.length - 1] === 0) {
-					tplStack.pop();
-					const scan = consumeTemplateString(content, i + 1);
-					mask(i + 1, scan.maskEnd);
-					if (scan.openedInterp) tplStack.push(0);
-					i = scan.resumeAt;
-					continue;
-				}
-				tplStack[tplStack.length - 1]--;
-				i++;
-				continue;
-			}
-		}
-		const handled = handleQuotesAndComments(content, i, tplStack, mask);
-		if (handled.handled) {
-			i = handled.nextI;
-			continue;
-		}
-		i++;
-	}
-	return out.join("");
-};
-const consumeQuotedString = (content, start, quote) => {
-	const len = content.length;
-	let i = start + 1;
-	while (i < len) {
-		const c = content[i];
-		if (c === "\\" && i + 1 < len) {
-			i += 2;
-			continue;
-		}
-		if (c === quote) return i + 1;
-		if (c === "\n") return i;
-		i++;
-	}
-	return i;
-};
-const consumeTemplateString = (content, start) => {
-	const len = content.length;
-	let i = start;
-	while (i < len) {
-		const c = content[i];
-		if (c === "\\" && i + 1 < len) {
-			i += 2;
-			continue;
-		}
-		if (c === "`") return {
-			maskEnd: i,
-			resumeAt: i + 1,
-			openedInterp: false
-		};
-		if (c === "$" && content[i + 1] === "{") return {
-			maskEnd: i,
-			resumeAt: i + 2,
-			openedInterp: true
-		};
-		i++;
-	}
-	return {
-		maskEnd: i,
-		resumeAt: i,
-		openedInterp: false
-	};
-};
-const maskSimple = (content, family) => {
-	const out = content.split("");
-	const len = content.length;
-	let i = 0;
-	const mask = (start, end) => {
-		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
-	};
-	while (i < len) {
-		const c = content[i];
-		const next = content[i + 1];
-		if (family === "py" && (c === "\"" || c === "'")) {
-			if (content[i + 1] === c && content[i + 2] === c) {
-				const triple = c + c + c;
-				const end = content.indexOf(triple, i + 3);
-				const stop = end === -1 ? len : end + 3;
-				mask(i + 3, stop - 3);
-				i = stop;
-				continue;
-			}
-		}
-		if (c === "\"" || c === "'") {
-			const strStart = i;
-			i = consumeQuotedString(content, i, c);
-			mask(strStart + 1, i - 1);
-			continue;
-		}
-		if ((family === "py" || family === "rb" || family === "php") && c === "#") {
-			const strStart = i;
-			while (i < len && content[i] !== "\n") i++;
-			mask(strStart, i);
-			continue;
-		}
-		if (family === "php" && c === "/" && next === "/") {
-			const strStart = i;
-			while (i < len && content[i] !== "\n") i++;
-			mask(strStart, i);
-			continue;
-		}
-		if (family === "php" && c === "/" && next === "*") {
-			const strStart = i;
-			i += 2;
-			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
-			if (i < len - 1) i += 2;
-			mask(strStart, i);
-			continue;
+		if (!result.stdout) return [];
+		return parseGovulncheckOutput(result.stdout);
+	} catch {
+		return [];
+	}
+};
+const toGovulnDiagnostic = (entry) => {
+	if (!entry.vulnerability) return null;
+	return {
+		filePath: "go.mod",
+		engine: "security",
+		rule: "security/vulnerable-dependency",
+		severity: "error",
+		message: `Go vulnerability: ${entry.vulnerability.id ?? "unknown"}`,
+		help: withFixHint(entry.vulnerability.details ?? ""),
+		line: 0,
+		column: 0,
+		category: "Security",
+		fixable: false
+	};
+};
+const parseGovulncheckOutput = (output) => {
+	const diagnostics = [];
+	for (const line of output.split("\n")) {
+		if (!line.startsWith("{")) continue;
+		let parsed = null;
+		try {
+			parsed = JSON.parse(line);
+		} catch {
+			parsed = null;
 		}
-		i++;
+		if (!parsed) continue;
+		const diagnostic = toGovulnDiagnostic(parsed);
+		if (diagnostic) diagnostics.push(diagnostic);
+	}
+	return diagnostics;
+};
+const runCargoAudit = async (rootDir, timeout) => {
+	try {
+		const result = await runSubprocess("cargo", ["audit", "--json"], {
+			cwd: rootDir,
+			timeout
+		});
+		if (!result.stdout) return [];
+		return (JSON.parse(result.stdout).vulnerabilities?.list ?? []).map((v) => ({
+			filePath: "Cargo.toml",
+			engine: "security",
+			rule: "security/vulnerable-dependency",
+			severity: "error",
+			message: `Rust vulnerability: ${v.advisory?.id ?? "unknown"}`,
+			help: withFixHint(v.advisory?.title ?? ""),
+			line: 0,
+			column: 0,
+			category: "Security",
+			fixable: false
+		}));
+	} catch {
+		return [];
 	}
-	return out.join("");
 };
 
 //#endregion
@@ -6980,8 +7171,7 @@ const detectRiskyConstructs = async (context) => {
 			if (!extensions.includes(ext)) continue;
 			if (isMigrationOrSeeder && name === "sql-injection") continue;
 			const regex = new RegExp(pattern.source, pattern.flags);
-			let match;
-			while ((match = regex.exec(masked)) !== null) {
+			for (const match of masked.matchAll(regex)) {
 				const line = content.slice(0, match.index).split("\n").length;
 				if (name === "innerhtml") {
 					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
@@ -7109,11 +7299,11 @@ const scanSecrets = async (context) => {
 		} catch {
 			continue;
 		}
+		content = maskComments(content, path.extname(filePath));
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		for (const { pattern, name, keywordPrefixed } of SECRET_PATTERNS) {
 			const regex = new RegExp(pattern.source, pattern.flags);
-			let match;
-			while ((match = regex.exec(content)) !== null) {
+			for (const match of content.matchAll(regex)) {
 				if (isPlaceholderValue(match[1] ?? match[0])) continue;
 				if (keywordPrefixed && isInsideStringLiteral(content, match.index)) continue;
 				const line = content.slice(0, match.index).split("\n").length;
@@ -7234,6 +7424,64 @@ const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoot
 
 //#endregion
 //#region src/utils/discover.ts
+const UNSUPPORTED_CODE_EXTENSIONS = {
+	".c": "C/C++",
+	".h": "C/C++",
+	".cc": "C/C++",
+	".cpp": "C/C++",
+	".cxx": "C/C++",
+	".hpp": "C/C++",
+	".hh": "C/C++",
+	".hxx": "C/C++",
+	".cs": "C#",
+	".swift": "Swift",
+	".kt": "Kotlin",
+	".kts": "Kotlin",
+	".m": "Objective-C",
+	".mm": "Objective-C",
+	".scala": "Scala",
+	".dart": "Dart",
+	".ex": "Elixir",
+	".exs": "Elixir",
+	".erl": "Erlang",
+	".hs": "Haskell",
+	".clj": "Clojure",
+	".cljs": "Clojure",
+	".lua": "Lua",
+	".jl": "Julia",
+	".zig": "Zig",
+	".nim": "Nim",
+	".ml": "OCaml",
+	".fs": "F#",
+	".sol": "Solidity",
+	".groovy": "Groovy"
+};
+const analyzeCoverage = (rootDirectory, excludePatterns = []) => {
+	const allFiles = listProjectFiles(rootDirectory);
+	const supportedFiles = filterProjectFiles(rootDirectory, allFiles, [], excludePatterns).length;
+	const counts = /* @__PURE__ */ new Map();
+	let unsupportedFiles = 0;
+	const candidates = filterProjectFiles(rootDirectory, allFiles, Object.keys(UNSUPPORTED_CODE_EXTENSIONS), excludePatterns);
+	for (const file of candidates) {
+		const lang = UNSUPPORTED_CODE_EXTENSIONS[path.extname(file).toLowerCase()];
+		if (!lang) continue;
+		unsupportedFiles += 1;
+		counts.set(lang, (counts.get(lang) ?? 0) + 1);
+	}
+	let dominantUnsupported = null;
+	let max = 0;
+	for (const [lang, count] of counts) if (count > max) {
+		max = count;
+		dominantUnsupported = lang;
+	}
+	const negligible = supportedFiles === 0 || unsupportedFiles >= 10 && unsupportedFiles > supportedFiles * 3;
+	return {
+		supportedFiles,
+		unsupportedFiles,
+		dominantUnsupported,
+		scoreable: !negligible
+	};
+};
 const LANGUAGE_SIGNALS = {
 	"tsconfig.json": "typescript",
 	"go.mod": "go",
@@ -7353,11 +7601,12 @@ const checkInstalledTools = async () => {
 	}));
 	return results;
 };
-const discoverProject = async (directory) => {
+const discoverProject = async (directory, excludePatterns = []) => {
 	const resolvedDir = path.resolve(directory);
 	const languages = detectLanguages(resolvedDir);
 	const frameworks = detectFrameworks(resolvedDir);
 	const sourceFileCount = countSourceFiles(resolvedDir);
+	const coverage = analyzeCoverage(resolvedDir, excludePatterns);
 	const installedTools = await checkInstalledTools();
 	return {
 		rootDirectory: resolvedDir,
@@ -7365,6 +7614,7 @@ const discoverProject = async (directory) => {
 		languages,
 		frameworks,
 		sourceFileCount,
+		coverage,
 		installedTools
 	};
 };
@@ -8071,7 +8321,7 @@ const uninstallRulesOnly = (opts, paths) => {
 	else result.skipped.push(paths.rules);
 	if (paths.host && paths.marker) {
 		const host = readIfExists(paths.host);
-		if (host != null && host.includes(paths.marker)) {
+		if (host?.includes(paths.marker)) {
 			const stripped = host.split("\n").filter((l) => l.trim() !== paths.marker).join("\n").replace(/\n{3,}/g, "\n\n").trim();
 			applyRemoval(result, opts, paths.host, stripped.length === 0 ? null : `${stripped}\n`);
 		} else result.skipped.push(paths.host);
@@ -8487,7 +8737,7 @@ const uninstallGemini = (opts) => {
 	if (readIfExists(paths.aislopMd) != null) applyRemoval(result, opts, paths.aislopMd, null);
 	else result.skipped.push(paths.aislopMd);
 	const geminiMd = readIfExists(paths.geminiMd);
-	if (geminiMd != null && geminiMd.includes("@AISLOP.md")) {
+	if (geminiMd?.includes("@AISLOP.md")) {
 		const stripped = geminiMd.split("\n").filter((l) => l.trim() !== "@AISLOP.md").join("\n").replace(/\n{3,}/g, "\n\n").trim();
 		applyRemoval(result, opts, paths.geminiMd, stripped.length === 0 ? null : `${stripped}\n`);
 	} else result.skipped.push(paths.geminiMd);
@@ -8784,6 +9034,7 @@ const theme = createTheme();
 
 //#endregion
 //#region src/commands/hook.ts
+const HOOK_FLUSH_TIMEOUT_MS = 1500;
 const AGENT_LABELS = {
 	claude: {
 		label: "Claude Code",
@@ -8912,6 +9163,7 @@ const hookRun = async (agent, flags) => {
 		process.stderr.write(`hook: agent "${agent}" has no runtime adapter (rules-file-only)\n`);
 		process.exit(0);
 	}
+	await flushTelemetry(HOOK_FLUSH_TIMEOUT_MS);
 	process.exit(exitCode);
 };
 const hookBaseline = async () => {
@@ -9165,12 +9417,12 @@ const badgeCommand = async (options = {}) => {
 		svgUrl,
 		pageUrl
 	});
-	if (options.json) process.stdout.write(JSON.stringify({
+	if (options.json) process.stdout.write(`${JSON.stringify({
 		owner,
 		repo,
 		svgUrl,
 		pageUrl
-	}) + "\n");
+	})}\n`);
 	else process.stdout.write(output);
 	return {
 		owner,
@@ -9471,7 +9723,7 @@ const renderHeader = (input, _deps = {}) => {
 
 //#endregion
 //#region src/ui/width.ts
-const ANSI_RE = new RegExp(String.raw`\x1B\[[0-9;]*m`, "g");
+const ANSI_RE = new RegExp(`\\[[0-9;]*m`, "g");
 const stripAnsi = (s) => s.replace(ANSI_RE, "");
 const stringWidth = (s) => {
 	const bare = stripAnsi(s);
@@ -9615,6 +9867,8 @@ var LiveGrid = class {
 const RULE_LABELS = {
 	formatting: "Code not formatted",
 	"code-quality/duplicate-block": "Duplicate code block",
+	"code-quality/repeated-chained-call": "Repeated chained call",
+	"code-quality/unused-declaration": "Unused declaration",
 	"complexity/file-too-large": "File too large",
 	"complexity/function-too-long": "Function too long",
 	"complexity/deep-nesting": "Deeply nested code",
@@ -9627,6 +9881,7 @@ const RULE_LABELS = {
 	"knip/binaries": "Unused binary",
 	"knip/exports": "Unused export",
 	"knip/types": "Unused type",
+	"knip/duplicates": "Duplicate export",
 	"ai-slop/trivial-comment": "Trivial restating comment",
 	"ai-slop/swallowed-exception": "Empty catch (swallowed error)",
 	"ai-slop/silent-recovery": "Catch logs then continues",
@@ -9663,6 +9918,7 @@ const RULE_LABELS = {
 	"ai-slop/hallucinated-import": "Import not in package.json",
 	"security/hardcoded-secret": "Possible hardcoded secret",
 	"security/vulnerable-dependency": "Vulnerable dependency",
+	"security/dependency-audit-skipped": "Dependency audit skipped",
 	"security/eval": "eval() usage",
 	"security/innerhtml": "innerHTML assignment",
 	"security/dangerously-set-innerhtml": "dangerouslySetInnerHTML (XSS risk)",
@@ -9820,6 +10076,36 @@ const readHistory = (directory) => {
 	return records;
 };
 
+//#endregion
+//#region src/commands/scan-coverage.ts
+const coverageReason = (c) => {
+	if (c.supportedFiles === 0 && c.dominantUnsupported) return `This repository is ${c.dominantUnsupported} (${c.unsupportedFiles} files), which aislop does not analyze. No score — it would not reflect this code.`;
+	if (c.supportedFiles === 0) return "No files in a language aislop analyzes (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP, Java). Nothing to score.";
+	const lang = c.dominantUnsupported ?? "an unsupported language";
+	const files = `${c.supportedFiles} supported file${c.supportedFiles === 1 ? "" : "s"}`;
+	return `This repository is mostly ${lang} (${c.unsupportedFiles} files); aislop analyzed only ${files}. Score withheld — it would represent a sliver of the codebase.`;
+};
+const renderCoverageNotice = (projectInfo, includeHeader) => {
+	const deps = {
+		theme: createTheme(),
+		symbols: createSymbols({ plain: false })
+	};
+	return `${includeHeader === false ? "" : renderHeader({
+		version: APP_VERSION,
+		command: "scan",
+		context: [
+			projectInfo.projectName,
+			projectInfo.languages[0] ?? "unknown",
+			`${projectInfo.sourceFileCount} files`
+		],
+		brand: true
+	}, deps)}  ${coverageReason(projectInfo.coverage)}\n\n`;
+};
+
+//#endregion
+//#region src/commands/scan-exit-code.ts
+const computeScanExitCode = (opts) => opts.hasErrors || opts.scoreable && opts.score < opts.failBelow ? 1 : 0;
+
 //#endregion
 //#region src/commands/scan.ts
 const isMachineOutput = (options) => Boolean(options.json) || Boolean(options.sarif);
@@ -9926,7 +10212,7 @@ const scanCommand = async (directory, config, options) => {
 		else log.error(msg);
 		return { exitCode: 1 };
 	}
-	const projectInfo = await discoverProject(resolvedDir);
+	const projectInfo = await discoverProject(resolvedDir, [...config.exclude, ...readAislopIgnorePatterns(resolvedDir)]);
 	return withCommandLifecycle({
 		command: options.command ?? "scan",
 		config: config.telemetry,
@@ -9939,15 +10225,16 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 	const showHeader = options.showHeader !== false;
 	const machineOutput = isMachineOutput(options);
 	const useLiveProgress = !machineOutput && shouldUseSpinner();
+	const excludePatterns = [...config.exclude, ...readAislopIgnorePatterns(resolvedDir)];
 	let files;
 	if (options.staged) {
-		files = filterProjectFiles(resolvedDir, getStagedFiles(resolvedDir), [], config.exclude);
+		files = filterProjectFiles(resolvedDir, getStagedFiles(resolvedDir), [], excludePatterns);
 		if (!machineOutput) log.muted(`Scope: ${files.length} staged file(s)`);
 	} else if (options.changes) {
-		files = filterProjectFiles(resolvedDir, getChangedFiles(resolvedDir), [], config.exclude);
+		files = filterProjectFiles(resolvedDir, getChangedFiles(resolvedDir), [], excludePatterns);
 		if (!machineOutput) log.muted(`Scope: ${files.length} changed file(s)`);
 	} else {
-		files = filterProjectFiles(resolvedDir, listProjectFiles(resolvedDir), [], config.exclude);
+		files = filterProjectFiles(resolvedDir, listProjectFiles(resolvedDir), [], excludePatterns);
 		if (!machineOutput) log.muted(`Scope: ${files.length} file(s) after exclusions`);
 	}
 	const configDir = findConfigDir(resolvedDir);
@@ -10001,14 +10288,21 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 		if (!machineOutput && !progressRenderer) printEngineStatus(result);
 	});
 	progressRenderer?.stop();
-	const results = rawResults.map((result) => ({
+	const { results, suppressedCount } = applySuppressions(rawResults.map((result) => ({
 		...result,
 		diagnostics: applyRuleSeverities(result.diagnostics, config.rules)
-	}));
+	})), resolvedDir);
+	if (suppressedCount > 0 && !machineOutput) log.muted(`Suppressed ${suppressedCount} finding(s) via aislop-ignore directives`);
 	const allDiagnostics = results.flatMap((r) => r.diagnostics);
 	const elapsedMs = performance.now() - startTime;
 	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds, projectInfo.sourceFileCount, config.scoring.smoothing);
-	const exitCode = allDiagnostics.some((d) => d.severity === "error") || scoreResult.score < config.ci.failBelow ? 1 : 0;
+	const scoreable = projectInfo.coverage.scoreable;
+	const exitCode = computeScanExitCode({
+		hasErrors: allDiagnostics.some((d) => d.severity === "error"),
+		scoreable,
+		score: scoreResult.score,
+		failBelow: config.ci.failBelow
+	});
 	const engineIssues = {};
 	const engineTimings = {};
 	for (const r of results) {
@@ -10017,7 +10311,8 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 	}
 	const completion = {
 		exitCode,
-		score: scoreResult.score,
+		score: scoreable ? scoreResult.score : null,
+		scoreable,
 		findingCount: allDiagnostics.length,
 		errorCount: allDiagnostics.filter((d) => d.severity === "error").length,
 		warningCount: allDiagnostics.filter((d) => d.severity === "warning").length,
@@ -10031,11 +10326,18 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 		return completion;
 	}
 	if (options.json) {
-		const { buildJsonOutput } = await import("./json-OIzja7OM.js");
-		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs);
+		const { buildJsonOutput } = await import("./json-CXV4D0Ib.js");
+		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs, projectInfo.coverage);
 		console.log(JSON.stringify(jsonOut, null, 2));
 		return completion;
 	}
+	if (!scoreable) {
+		if (!machineOutput) {
+			process.stdout.write(renderCoverageNotice(projectInfo, showHeader));
+			if (allDiagnostics.length > 0) process.stdout.write(renderDiagnostics(allDiagnostics, options.verbose ?? false));
+		}
+		return completion;
+	}
 	if (!options.staged && !options.changes && options.command !== "ci" && !isCiEnv()) appendHistory({
 		directory: resolvedDir,
 		score: scoreResult.score,
@@ -10815,7 +11117,7 @@ const ERROR_MESSAGE_PATTERNS = [
 /**
 * Extracts the full text of a console statement spanning multiple lines.
 */
-const getStatementText = (lines, startIndex, span) => {
+const getStatementText = (lines, span) => {
 	const spanLines = [];
 	for (const lineNo of span) spanLines.push(lines[lineNo - 1]);
 	return spanLines.join("\n");
@@ -10827,6 +11129,21 @@ const getStatementText = (lines, startIndex, span) => {
 const shouldUpgradeToError = (statementText) => {
 	return ERROR_MESSAGE_PATTERNS.some((pattern) => pattern.test(statementText));
 };
+const DIAGNOSTIC_PATH_RE = /(?:^|\/)(?:tools|scripts|cli|bin)\/|(?:^|\/)test-[^/]*\.[tj]sx?$|[.-](?:test|spec)\.[tj]sx?$/i;
+const isDiagnosticScriptPath = (filePath) => DIAGNOSTIC_PATH_RE.test(filePath.replace(/\\/g, "/"));
+const firstNonBlank = (lines, from, step, skip) => {
+	for (let i = from; i >= 0 && i < lines.length; i += step) {
+		if (skip.has(i + 1)) continue;
+		if (lines[i].trim() !== "") return lines[i].trim();
+	}
+	return "";
+};
+const wouldEmptyEnclosingBlock = (lines, span, removed) => {
+	const sorted = [...span].sort((a, b) => a - b);
+	const before = firstNonBlank(lines, sorted[0] - 2, -1, removed);
+	const after = firstNonBlank(lines, sorted[sorted.length - 1], 1, removed);
+	return before.endsWith("{") && after.startsWith("}");
+};
 const fixDeadPatterns = async (context) => {
 	const fixable = [...await detectTrivialComments(context), ...await detectDeadPatterns(context)].filter((d) => d.fixable);
 	if (fixable.length === 0) return;
@@ -10840,24 +11157,31 @@ const fixDeadPatterns = async (context) => {
 		});
 		byFile.set(absolute, entries);
 	}
-	for (const [filePath, entries] of byFile) fixFileDeadPatterns(filePath, entries);
+	for (const [filePath, entries] of byFile) fixFileDeadPatterns(filePath, entries, context.rootDirectory);
 };
-const fixFileDeadPatterns = (filePath, entries) => {
+const fixFileDeadPatterns = (filePath, entries, rootDirectory) => {
 	if (!fs.existsSync(filePath)) return;
 	const lines = fs.readFileSync(filePath, "utf-8").split("\n");
 	const linesToRemove = /* @__PURE__ */ new Set();
 	const lineReplacements = /* @__PURE__ */ new Map();
+	const skipConsole = isDiagnosticScriptPath(path.relative(rootDirectory, filePath));
+	const consoleSpans = [];
 	for (const entry of entries) {
 		const index = entry.line - 1;
 		if (index < 0 || index >= lines.length) continue;
 		if (entry.rule === "ai-slop/console-leftover") {
+			if (skipConsole) continue;
 			const span = findStatementSpan(lines, index);
-			if (shouldUpgradeToError(getStatementText(lines, index, span))) {
-				const replaced = lines[index].replace(/console\.(?:log|debug|info|trace|dir|table)\s*\(/, "console.error(");
-				lineReplacements.set(entry.line, replaced);
-			} else for (const lineNo of span) linesToRemove.add(lineNo);
+			if (shouldUpgradeToError(getStatementText(lines, span))) lineReplacements.set(entry.line, lines[index].replace(/console\.(?:log|debug|info|trace|dir|table)\s*\(/, "console.error("));
+			else consoleSpans.push(span);
 		} else linesToRemove.add(entry.line);
 	}
+	const candidateLines = /* @__PURE__ */ new Set();
+	for (const span of consoleSpans) for (const lineNo of span) candidateLines.add(lineNo);
+	for (const span of consoleSpans) {
+		if (wouldEmptyEnclosingBlock(lines, span, candidateLines)) continue;
+		for (const lineNo of span) linesToRemove.add(lineNo);
+	}
 	const result = applyEditsAndCollapse(lines, linesToRemove, lineReplacements);
 	fs.writeFileSync(filePath, result);
 };
@@ -11107,7 +11431,7 @@ const fixUnusedImports = async (context) => {
 			const importSpan = JS_EXTENSIONS$1.has(analysis.ext) ? getJsImportSpan(lines, lineIdx) : [lineIdx];
 			if (allUnused) for (const idx of importSpan) linesToRemove.add(idx);
 			else if (JS_EXTENSIONS$1.has(analysis.ext)) rewriteJsImportSpan(lines, importSpan, syms, unusedNames);
-			else if (PY_EXTENSIONS.has(analysis.ext)) rewritePyImportLine(lines, lineIdx, syms, unusedNames);
+			else if (PY_EXTENSIONS.has(analysis.ext)) rewritePyImportLine(lines, lineIdx, unusedNames);
 		}
 		if (linesToRemove.size === 0 && unused.length === 0) continue;
 		const sortedRemove = [...linesToRemove].sort((a, b) => b - a);
@@ -11171,9 +11495,12 @@ const rewriteJsImportSpan = (lines, span, syms, unusedNames) => {
 	lines[span[0]] = newImport;
 	for (let i = 1; i < span.length; i++) lines[span[i]] = REMOVE_MARKER;
 };
-const rewritePyImportLine = (lines, lineIdx, syms, unusedNames) => {
+const rewritePyImportLine = (lines, lineIdx, unusedNames) => {
 	const fromMatch = lines[lineIdx].match(/^(\s*from\s+[\w.]+\s+import\s+)(.+)$/);
-	if (!fromMatch) return;
+	if (!fromMatch) {
+		rewritePlainPyImportLine(lines, lineIdx, unusedNames);
+		return;
+	}
 	const prefix = fromMatch[1];
 	const importPart = fromMatch[2].replace(/#.*$/, "").trim();
 	const hasParen = importPart.startsWith("(");
@@ -11186,6 +11513,19 @@ const rewritePyImportLine = (lines, lineIdx, syms, unusedNames) => {
 	const joined = keptSpecifiers.join(", ");
 	lines[lineIdx] = hasParen ? `${prefix}(${joined})` : `${prefix}${joined}`;
 };
+const rewritePlainPyImportLine = (lines, lineIdx, unusedNames) => {
+	const match = lines[lineIdx].match(/^(\s*import\s+)(.+)$/);
+	if (!match) return;
+	const prefix = match[1];
+	const specifiers = match[2].replace(/#.*$/, "").split(",").map((s) => s.trim()).filter(Boolean);
+	const kept = specifiers.filter((spec) => {
+		const parts = spec.split(/\s+as\s+/);
+		const localName = parts.length > 1 ? parts[1].trim() : parts[0].trim().split(".")[0];
+		return !unusedNames.has(localName);
+	});
+	if (kept.length === 0 || kept.length === specifiers.length) return;
+	lines[lineIdx] = `${prefix}${kept.join(", ")}`;
+};
 
 //#endregion
 //#region src/engines/code-quality/unused-removal-ast.ts
@@ -11627,6 +11967,61 @@ const runExpoDoctor = async (context) => {
 	return toDiagnostics(parseIssues(output));
 };
 
+//#endregion
+//#region src/commands/fix-expo.ts
+const INSTALL_TIMEOUT$1 = 1800 * 1e3;
+const fixExpoDependencies = async (context, onProgress) => {
+	await removeDisallowedExpoPackages(context.rootDirectory, onProgress);
+	onProgress?.("Expo dependency alignment · running expo install --fix (can take a few minutes)");
+	if ((await runSubprocess("npx", [
+		"--yes",
+		"expo",
+		"install",
+		"--fix"
+	], {
+		cwd: context.rootDirectory,
+		timeout: INSTALL_TIMEOUT$1
+	})).exitCode === 0) return;
+	onProgress?.("Expo dependency alignment · checking remaining issues");
+	const checkResult = await runSubprocess("npx", [
+		"--yes",
+		"expo",
+		"install",
+		"--check"
+	], {
+		cwd: context.rootDirectory,
+		timeout: INSTALL_TIMEOUT$1
+	});
+	if (checkResult.exitCode !== 0) throw new Error(checkResult.stderr || checkResult.stdout || "expo dependency check failed");
+};
+/**
+* Run expo-doctor to detect packages that should not be installed directly,
+* then uninstall them. No hardcoded list — expo-doctor is the source of truth.
+*/
+const removeDisallowedExpoPackages = async (rootDir, onProgress) => {
+	try {
+		onProgress?.("Expo dependency alignment · running expo-doctor");
+		const result = await runSubprocess("npx", [
+			"--yes",
+			"expo-doctor",
+			rootDir
+		], {
+			cwd: rootDir,
+			timeout: INSTALL_TIMEOUT$1
+		});
+		const output = [result.stdout, result.stderr].filter(Boolean).join("\n");
+		const packagePattern = /The package "([^"]+)" should not be installed directly/g;
+		const toRemove = [];
+		for (const match of output.matchAll(packagePattern)) toRemove.push(match[1]);
+		if (toRemove.length === 0) return;
+		onProgress?.(`Expo dependency alignment · uninstalling ${toRemove.length} package(s)`);
+		await runSubprocess("npm", ["uninstall", ...toRemove], {
+			cwd: rootDir,
+			timeout: INSTALL_TIMEOUT$1
+		});
+	} catch {}
+};
+
 //#endregion
 //#region src/commands/fix-force.ts
 const INSTALL_TIMEOUT = 1800 * 1e3;
@@ -11730,7 +12125,7 @@ const runNpmAuditFix = async (rootDir, onProgress) => {
 	});
 	if (installResult.exitCode !== 0) throw new Error(installResult.stderr || installResult.stdout || "npm install failed after audit fix");
 };
-const fetchLatestVersion = async (rootDir, pkgName, pm) => {
+const fetchLatestVersion$1 = async (rootDir, pkgName, pm) => {
 	try {
 		const result = await runSubprocess(pm, [
 			"view",
@@ -11750,7 +12145,7 @@ const collectOverrides = async (rootDir, vulnerabilities, pm) => {
 	const overrides = {};
 	for (const [pkgName, vuln] of Object.entries(vulnerabilities)) {
 		if (vuln.fixAvailable !== false || !vuln.range) continue;
-		const latest = await fetchLatestVersion(rootDir, pkgName, pm);
+		const latest = await fetchLatestVersion$1(rootDir, pkgName, pm);
 		if (latest) overrides[pkgName] = latest;
 	}
 	return overrides;
@@ -11764,7 +12159,9 @@ const tryNpmOverrides = async (rootDir, onProgress) => {
 		if (!auditResult.stdout) return;
 		const vulnerabilities = JSON.parse(auditResult.stdout).vulnerabilities;
 		if (!vulnerabilities) return;
-		const overrides = await collectOverrides(rootDir, vulnerabilities, "npm");
+		const rawOverrides = await collectOverrides(rootDir, vulnerabilities, "npm");
+		if (Object.keys(rawOverrides).length === 0) return;
+		const overrides = guardAndReport(rootDir, rawOverrides, onProgress);
 		if (Object.keys(overrides).length === 0) return;
 		const pkgPath = path.join(rootDir, "package.json");
 		const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
@@ -11800,6 +12197,76 @@ const collectPnpmOverrides = (advisories) => {
 	}
 	return overrides;
 };
+const overrideName = (key) => {
+	const at = key.lastIndexOf("@");
+	return at > 0 ? key.slice(0, at) : key;
+};
+const guardOverrides = (overrides, installed) => {
+	const safe = {};
+	const skipped = [];
+	for (const [key, target] of Object.entries(overrides)) {
+		const current = installed.get(overrideName(key));
+		if (current && isDowngrade(current, target)) {
+			skipped.push(`${overrideName(key)} ${current} → ${target}`);
+			continue;
+		}
+		safe[key] = target;
+	}
+	return {
+		safe,
+		skipped
+	};
+};
+const readRootNodeModulesVersion = (rootDir, name) => {
+	try {
+		const manifest = path.join(rootDir, "node_modules", name, "package.json");
+		const version = JSON.parse(fs.readFileSync(manifest, "utf-8")).version;
+		return typeof version === "string" ? version : null;
+	} catch {
+		return null;
+	}
+};
+const PNPM_STORE_VERSION_RE = /^(\d+\.\d+\.\d+[^_(]*)/;
+const isHigherVersion = (candidate, current) => {
+	if (!current) return true;
+	const a = parseSemverMin(candidate);
+	const b = parseSemverMin(current);
+	if (!a || !b) return false;
+	for (let i = 0; i < 3; i++) {
+		if ((a[i] ?? 0) > (b[i] ?? 0)) return true;
+		if ((a[i] ?? 0) < (b[i] ?? 0)) return false;
+	}
+	return false;
+};
+const readPnpmStoreVersion = (rootDir, name) => {
+	let entries;
+	try {
+		entries = fs.readdirSync(path.join(rootDir, "node_modules", ".pnpm"));
+	} catch {
+		return null;
+	}
+	const prefix = `${name.replace(/\//g, "+")}@`;
+	let best = null;
+	for (const entry of entries) {
+		if (!entry.startsWith(prefix)) continue;
+		const match = PNPM_STORE_VERSION_RE.exec(entry.slice(prefix.length));
+		if (match && isHigherVersion(match[1], best)) best = match[1];
+	}
+	return best;
+};
+const readInstalledVersions = (rootDir, names) => {
+	const map = /* @__PURE__ */ new Map();
+	for (const name of names) {
+		const version = readRootNodeModulesVersion(rootDir, name) ?? readPnpmStoreVersion(rootDir, name);
+		if (version) map.set(name, version);
+	}
+	return map;
+};
+const guardAndReport = (rootDir, rawOverrides, onProgress) => {
+	const { safe, skipped } = guardOverrides(rawOverrides, readInstalledVersions(rootDir, Object.keys(rawOverrides).map(overrideName)));
+	if (skipped.length > 0) onProgress?.(`Dependency audit fixes · skipped ${skipped.length} downgrade(s), verify intent: ${skipped.join(", ")}`);
+	return safe;
+};
 const isPnpmAuditRetired = (stdout, stderr) => {
 	const haystack = `${stdout}\n${stderr}`.toLowerCase();
 	return haystack.includes("410") || haystack.includes("gone") || haystack.includes("retired") || haystack.includes("endpoint") || haystack.includes("err_pnpm_audit") || haystack.includes("audit endpoint");
@@ -11823,7 +12290,9 @@ const tryPnpmOverrides = async (rootDir, onProgress) => {
 	}
 	const advisories = parsed.advisories;
 	if (!advisories || Object.keys(advisories).length === 0) return true;
-	const overrides = collectPnpmOverrides(advisories);
+	const rawOverrides = collectPnpmOverrides(advisories);
+	if (Object.keys(rawOverrides).length === 0) return true;
+	const overrides = guardAndReport(rootDir, rawOverrides, onProgress);
 	if (Object.keys(overrides).length === 0) return true;
 	const pkgPath = path.join(rootDir, "package.json");
 	const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
@@ -11844,58 +12313,6 @@ const tryPnpmOverrides = async (rootDir, onProgress) => {
 	});
 	return true;
 };
-const fixExpoDependencies = async (context, onProgress) => {
-	await removeDisallowedExpoPackages(context.rootDirectory, onProgress);
-	onProgress?.("Expo dependency alignment · running expo install --fix (can take a few minutes)");
-	if ((await runSubprocess("npx", [
-		"--yes",
-		"expo",
-		"install",
-		"--fix"
-	], {
-		cwd: context.rootDirectory,
-		timeout: INSTALL_TIMEOUT
-	})).exitCode === 0) return;
-	onProgress?.("Expo dependency alignment · checking remaining issues");
-	const checkResult = await runSubprocess("npx", [
-		"--yes",
-		"expo",
-		"install",
-		"--check"
-	], {
-		cwd: context.rootDirectory,
-		timeout: INSTALL_TIMEOUT
-	});
-	if (checkResult.exitCode !== 0) throw new Error(checkResult.stderr || checkResult.stdout || "expo dependency check failed");
-};
-/**
-* Run expo-doctor to detect packages that should not be installed directly,
-* then uninstall them. No hardcoded list — expo-doctor is the source of truth.
-*/
-const removeDisallowedExpoPackages = async (rootDir, onProgress) => {
-	try {
-		onProgress?.("Expo dependency alignment · running expo-doctor");
-		const result = await runSubprocess("npx", [
-			"--yes",
-			"expo-doctor",
-			rootDir
-		], {
-			cwd: rootDir,
-			timeout: INSTALL_TIMEOUT
-		});
-		const output = [result.stdout, result.stderr].filter(Boolean).join("\n");
-		const packagePattern = /The package "([^"]+)" should not be installed directly/g;
-		const toRemove = [];
-		let match;
-		while ((match = packagePattern.exec(output)) !== null) toRemove.push(match[1]);
-		if (toRemove.length === 0) return;
-		onProgress?.(`Expo dependency alignment · uninstalling ${toRemove.length} package(s)`);
-		await runSubprocess("npm", ["uninstall", ...toRemove], {
-			cwd: rootDir,
-			timeout: INSTALL_TIMEOUT
-		});
-	} catch {}
-};
 
 //#endregion
 //#region src/commands/fix-pipeline.ts
@@ -11904,6 +12321,10 @@ const runAiSlopSteps = async (deps) => {
 	if (!deps.config.engines["ai-slop"]) return;
 	await deps.runStep("Unused imports", () => detectUnusedImports(deps.context), () => fixUnusedImports(deps.context));
 	await deps.runStep("Duplicate imports", () => detectDuplicateImports(deps.context), () => fixDuplicateImports(deps.context));
+	if (deps.safe) {
+		await deps.runStep("Narrative comments", async () => (await detectNarrativeComments(deps.context)).filter((d) => d.fixable), () => fixNarrativeComments(deps.context));
+		return;
+	}
 	const detectFixableSlop = async () => {
 		const [comments, dead, narrative] = await Promise.all([
 			detectTrivialComments(deps.context),
@@ -12054,19 +12475,23 @@ const runFixBody = async (resolvedDir, config, options, projectInfo) => {
 		});
 		return result;
 	};
+	const safe = Boolean(options.safe);
 	const pipelineDeps = {
 		rail,
 		context,
 		config,
 		resolvedDir,
 		projectInfo,
-		force: Boolean(options.force),
+		force: safe ? false : Boolean(options.force),
+		safe,
 		runStep
 	};
 	await runAiSlopSteps(pipelineDeps);
-	await runDeclarationStep(pipelineDeps);
-	await runLintSteps(pipelineDeps);
-	await runDependencyStep(pipelineDeps);
+	if (!safe) {
+		await runDeclarationStep(pipelineDeps);
+		await runLintSteps(pipelineDeps);
+		await runDependencyStep(pipelineDeps);
+	}
 	await runFormattingStep(pipelineDeps);
 	await runForceSteps(pipelineDeps);
 	const totalResolved = steps.reduce((sum, s) => sum + s.resolvedIssues, 0);
@@ -12414,6 +12839,7 @@ const AI_SLOP_FIXABLE = new Set([
 	"ai-slop/duplicate-import"
 ]);
 const AI_SLOP_ERRORS = new Set(["ai-slop/hallucinated-import"]);
+const SECURITY_INFO = new Set(["security/dependency-audit-skipped"]);
 const BUILTIN_RULES = [
 	{
 		engine: "format",
@@ -12449,6 +12875,10 @@ const BUILTIN_RULES = [
 			"knip/binaries",
 			"knip/exports",
 			"knip/types",
+			"knip/duplicates",
+			"code-quality/duplicate-block",
+			"code-quality/repeated-chained-call",
+			"code-quality/unused-declaration",
 			"complexity/file-too-large",
 			"complexity/function-too-long",
 			"complexity/deep-nesting",
@@ -12501,8 +12931,10 @@ const BUILTIN_RULES = [
 			"security/vulnerable-dependency",
 			"security/eval",
 			"security/innerhtml",
+			"security/dangerously-set-innerhtml",
 			"security/sql-injection",
-			"security/shell-injection"
+			"security/shell-injection",
+			"security/dependency-audit-skipped"
 		]
 	}
 ];
@@ -12516,7 +12948,7 @@ const toRuleEntry = (engine, ruleId) => {
 	if (engine === "security") return {
 		id: ruleId,
 		engine,
-		severity: "error",
+		severity: SECURITY_INFO.has(ruleId) ? "info" : "error",
 		fixable: false
 	};
 	if (engine === "ai-slop") return {
@@ -12713,6 +13145,86 @@ const trendCommand = (directory, limit) => {
 	}));
 };
 
+//#endregion
+//#region src/update-notifier.ts
+const REGISTRY_URL = "https://registry.npmjs.org/aislop/latest";
+const CHECK_INTERVAL_MS = 1440 * 60 * 1e3;
+const REQUEST_TIMEOUT_MS = 2e3;
+const CACHE_BASENAME = "update_check.json";
+const isUpdateNotifierDisabled = (env = process.env) => {
+	if (env.AISLOP_NO_UPDATE_NOTIFIER === "1") return true;
+	if (env.NO_UPDATE_NOTIFIER === "1") return true;
+	if (env.DO_NOT_TRACK === "1") return true;
+	return isCiEnv(env);
+};
+const resolveUpdateCachePath = (homedir = os.homedir(), env = process.env) => {
+	if (process.platform === "linux" && env.XDG_STATE_HOME) return path.join(env.XDG_STATE_HOME, "aislop", CACHE_BASENAME);
+	return path.join(homedir, ".aislop", CACHE_BASENAME);
+};
+const parseVersion = (raw) => {
+	const m = raw.trim().replace(/^v/, "").split(/[-+]/, 1)[0].match(/^(\d+)\.(\d+)\.(\d+)$/);
+	if (!m) return null;
+	return {
+		major: Number(m[1]),
+		minor: Number(m[2]),
+		patch: Number(m[3])
+	};
+};
+const isOutdated = (current, latest) => {
+	const c = parseVersion(current);
+	const l = parseVersion(latest);
+	if (!c || !l) return false;
+	if (l.major !== c.major) return l.major > c.major;
+	if (l.minor !== c.minor) return l.minor > c.minor;
+	return l.patch > c.patch;
+};
+const formatUpdateNotice = (current, latest) => `\nUpdate available: ${current} -> ${latest}. Run npx aislop@latest to upgrade.\n`;
+const readCache = (cachePath) => {
+	try {
+		const parsed = JSON.parse(fs.readFileSync(cachePath, "utf-8"));
+		if (typeof parsed?.latest === "string" && typeof parsed?.checkedAt === "number") return {
+			latest: parsed.latest,
+			checkedAt: parsed.checkedAt
+		};
+		return null;
+	} catch {
+		return null;
+	}
+};
+const writeCache = (cachePath, cache) => {
+	try {
+		fs.mkdirSync(path.dirname(cachePath), { recursive: true });
+		fs.writeFileSync(cachePath, JSON.stringify(cache));
+		return true;
+	} catch {
+		return false;
+	}
+};
+const fetchLatestVersion = async () => {
+	try {
+		const res = await fetch(REGISTRY_URL, { signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS) });
+		if (!res.ok) return null;
+		const data = await res.json();
+		return typeof data.version === "string" ? data.version : null;
+	} catch {
+		return null;
+	}
+};
+const maybeNotifyUpdate = async (now = Date.now()) => {
+	if (isUpdateNotifierDisabled()) return;
+	if (!process.stderr.isTTY) return;
+	const cachePath = resolveUpdateCachePath();
+	const cache = readCache(cachePath);
+	if (cache && isOutdated(APP_VERSION, cache.latest)) process.stderr.write(formatUpdateNotice(APP_VERSION, cache.latest));
+	if (!cache || now - cache.checkedAt > CHECK_INTERVAL_MS) {
+		const latest = await fetchLatestVersion();
+		if (latest) writeCache(cachePath, {
+			latest,
+			checkedAt: now
+		});
+	}
+};
+
 //#endregion
 //#region src/cli.ts
 process.on("SIGINT", () => process.exit(0));
@@ -12880,13 +13392,14 @@ const FIX_AGENT_FLAGS = [
 const matchFixAgent = (flags) => {
 	return FIX_AGENT_FLAGS.find((a) => flags[a.name])?.flag;
 };
-const fixProgram = program.command("fix [directory]").description("Auto-fix ai slop in codebase").option("-d, --verbose", "show detailed fix progress").option("-f, --force", "run aggressive fixes (audit and framework dependency alignment)").option("-p, --prompt", "print a prompt for your coding agent to fix remaining issues");
+const fixProgram = program.command("fix [directory]").description("Auto-fix ai slop in codebase").option("-d, --verbose", "show detailed fix progress").option("-f, --force", "run aggressive fixes (audit and framework dependency alignment)").option("--safe", "only apply reversible fixes (imports, comment removal, formatting); skip anything that deletes code or rewrites behaviour").option("-p, --prompt", "print a prompt for your coding agent to fix remaining issues");
 for (const a of FIX_AGENT_FLAGS) fixProgram.option(`--${a.flag}`, a.help);
 fixProgram.action(async (directory = ".", _flags, command) => {
 	const flags = command.optsWithGlobals();
 	await fixCommand(directory, loadConfig(directory), {
 		verbose: Boolean(flags.verbose),
 		force: Boolean(flags.force),
+		safe: Boolean(flags.safe),
 		prompt: Boolean(flags.prompt),
 		agent: matchFixAgent(flags)
 	});
@@ -12966,6 +13479,7 @@ const main = async () => {
 	fireInstalledOnce();
 	await program.parseAsync();
 	await flushTelemetry();
+	await maybeNotifyUpdate();
 };
 main();