npm - aislop - Versions diffs - 0.10.1 → 0.10.2 - Mend

aislop 0.10.1 → 0.10.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/README.md +56 -8
package/dist/cli.js +942 -612
package/dist/{expo-doctor-BcIkOte5.js → expo-doctor-c-jE6pR2.js} +1 -1
package/dist/{generic-D_T4cUaC.js → generic-BsQa13CS.js} +1 -1
package/dist/index.d.ts +10 -1
package/dist/index.js +2673 -2346
package/dist/{json-Bqkcl1DF.js → json-B01i-GOz.js} +7 -5
package/dist/{json-OIzja7OM.js → json-CXV4D0Ib.js} +5 -3
package/dist/mcp.js +584 -501
package/dist/{sarif-C-vh4wcC.js → sarif-cy5SiDDq.js} +1 -1
package/dist/{typecheck-DQSzG8fX.js → typecheck-BdQ7uFyK.js} +1 -1
package/dist/version-BfJVwhN2.js +5 -0
package/package.json +8 -11
package/dist/version-rlhQD8Qh.js +0 -5
/package/dist/{engine-info-DCvIfZ0f.js → engine-info-Cpt36DqZ.js} +0 -0
/package/dist/{subprocess-CQUJDGgn.js → subprocess-0uXz8HdE.js} +0 -0

package/dist/cli.js CHANGED Viewed

@@ -34,7 +34,7 @@ var __exportAll = (all, no_symbols) => {
 //#endregion
 //#region src/version.ts
-const APP_VERSION = "0.10.1";
+const APP_VERSION = "0.10.2";
 //#endregion
 //#region src/telemetry/env.ts
@@ -244,9 +244,14 @@ const track = (input) => {
 	pendingRequests.add(request);
 	return { installCreated };
 };
-const flushTelemetry = async () => {
+const flushTelemetry = async (timeoutMs) => {
 	if (pendingRequests.size === 0) return;
-	await Promise.all(pendingRequests);
+	const all = Promise.all(pendingRequests);
+	if (timeoutMs == null) {
+		await all;
+		return;
+	}
+	await Promise.race([all, new Promise((resolve) => setTimeout(resolve, timeoutMs))]);
 };
 //#endregion
@@ -361,7 +366,7 @@ const withCommandLifecycle = async (start, run) => {
 				startProps,
 				exitCode: result.exitCode,
 				durationMs,
-				score: result.score,
+				score: result.score ?? void 0,
 				findingCount: result.findingCount,
 				errorCount: result.errorCount,
 				warningCount: result.warningCount,
@@ -619,12 +624,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: scanaislop/aislop@v${APP_VERSION}
         with:
-          node-version: 20
-      # Quality gate: exits 1 when score < ci.failBelow in .aislop/config.yml
-      # or when any error-severity diagnostic is present.
-      - run: npx aislop@latest ci .
+          version: ${APP_VERSION}
 `;
 const DEFAULT_RULES_YAML = `# Architecture rules (BYO)
 # Uncomment and customize to enforce your project's conventions.
@@ -836,218 +838,6 @@ const loadConfig = (directory) => {
 	}
 };
-//#endregion
-//#region src/utils/source-masker.ts
-const JS_EXTS$2 = new Set([
-	".ts",
-	".tsx",
-	".js",
-	".jsx",
-	".mjs",
-	".cjs"
-]);
-const PY_EXTS = new Set([".py"]);
-const RB_EXTS = new Set([".rb"]);
-const PHP_EXTS = new Set([".php"]);
-const familyForExt = (ext) => {
-	if (JS_EXTS$2.has(ext)) return "js";
-	if (PY_EXTS.has(ext)) return "py";
-	if (RB_EXTS.has(ext)) return "rb";
-	if (PHP_EXTS.has(ext)) return "php";
-	return "none";
-};
-const maskStringsAndComments = (content, ext) => {
-	const family = familyForExt(ext);
-	if (family === "none") return content;
-	if (family === "js") return maskJs(content, true);
-	return maskSimple(content, family, true);
-};
-const maskComments = (content, ext) => {
-	const family = familyForExt(ext);
-	if (family === "none") return content;
-	if (family === "js") return maskJs(content, false);
-	return maskSimple(content, family, false);
-};
-const handleQuotesAndComments = (content, i, tplStack, mask, maskStrings) => {
-	const len = content.length;
-	const c = content[i];
-	const next = content[i + 1];
-	if (c === "\"" || c === "'") {
-		const strStart = i;
-		const end = consumeQuotedString(content, i, c);
-		if (maskStrings) mask(strStart + 1, end - 1);
-		return {
-			handled: true,
-			nextI: end
-		};
-	}
-	if (c === "`") {
-		const scan = consumeTemplateString(content, i + 1);
-		if (maskStrings) mask(i + 1, scan.maskEnd);
-		if (scan.openedInterp) tplStack.push(0);
-		return {
-			handled: true,
-			nextI: scan.resumeAt
-		};
-	}
-	if (c === "/" && next === "/") {
-		const strStart = i;
-		let k = i;
-		while (k < len && content[k] !== "\n") k++;
-		mask(strStart, k);
-		return {
-			handled: true,
-			nextI: k
-		};
-	}
-	if (c === "/" && next === "*") {
-		const strStart = i;
-		let k = i + 2;
-		while (k < len - 1 && !(content[k] === "*" && content[k + 1] === "/")) k++;
-		if (k < len - 1) k += 2;
-		mask(strStart, k);
-		return {
-			handled: true,
-			nextI: k
-		};
-	}
-	return {
-		handled: false,
-		nextI: i
-	};
-};
-const maskJs = (content, maskStrings) => {
-	const out = content.split("");
-	const len = content.length;
-	const tplStack = [];
-	let i = 0;
-	const mask = (start, end) => {
-		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
-	};
-	while (i < len) {
-		const c = content[i];
-		if (tplStack.length > 0) {
-			if (c === "{") {
-				tplStack[tplStack.length - 1]++;
-				i++;
-				continue;
-			}
-			if (c === "}") {
-				if (tplStack[tplStack.length - 1] === 0) {
-					tplStack.pop();
-					const scan = consumeTemplateString(content, i + 1);
-					if (maskStrings) mask(i + 1, scan.maskEnd);
-					if (scan.openedInterp) tplStack.push(0);
-					i = scan.resumeAt;
-					continue;
-				}
-				tplStack[tplStack.length - 1]--;
-				i++;
-				continue;
-			}
-		}
-		const handled = handleQuotesAndComments(content, i, tplStack, mask, maskStrings);
-		if (handled.handled) {
-			i = handled.nextI;
-			continue;
-		}
-		i++;
-	}
-	return out.join("");
-};
-const consumeQuotedString = (content, start, quote) => {
-	const len = content.length;
-	let i = start + 1;
-	while (i < len) {
-		const c = content[i];
-		if (c === "\\" && i + 1 < len) {
-			i += 2;
-			continue;
-		}
-		if (c === quote) return i + 1;
-		if (c === "\n") return i;
-		i++;
-	}
-	return i;
-};
-const consumeTemplateString = (content, start) => {
-	const len = content.length;
-	let i = start;
-	while (i < len) {
-		const c = content[i];
-		if (c === "\\" && i + 1 < len) {
-			i += 2;
-			continue;
-		}
-		if (c === "`") return {
-			maskEnd: i,
-			resumeAt: i + 1,
-			openedInterp: false
-		};
-		if (c === "$" && content[i + 1] === "{") return {
-			maskEnd: i,
-			resumeAt: i + 2,
-			openedInterp: true
-		};
-		i++;
-	}
-	return {
-		maskEnd: i,
-		resumeAt: i,
-		openedInterp: false
-	};
-};
-const maskSimple = (content, family, maskStrings) => {
-	const out = content.split("");
-	const len = content.length;
-	let i = 0;
-	const mask = (start, end) => {
-		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
-	};
-	while (i < len) {
-		const c = content[i];
-		const next = content[i + 1];
-		if (family === "py" && (c === "\"" || c === "'")) {
-			if (content[i + 1] === c && content[i + 2] === c) {
-				const triple = c + c + c;
-				const end = content.indexOf(triple, i + 3);
-				const stop = end === -1 ? len : end + 3;
-				if (maskStrings) mask(i + 3, stop - 3);
-				i = stop;
-				continue;
-			}
-		}
-		if (c === "\"" || c === "'") {
-			const strStart = i;
-			i = consumeQuotedString(content, i, c);
-			if (maskStrings) mask(strStart + 1, i - 1);
-			continue;
-		}
-		if ((family === "py" || family === "rb" || family === "php") && c === "#") {
-			const strStart = i;
-			while (i < len && content[i] !== "\n") i++;
-			mask(strStart, i);
-			continue;
-		}
-		if (family === "php" && c === "/" && next === "/") {
-			const strStart = i;
-			while (i < len && content[i] !== "\n") i++;
-			mask(strStart, i);
-			continue;
-		}
-		if (family === "php" && c === "/" && next === "*") {
-			const strStart = i;
-			i += 2;
-			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
-			if (i < len - 1) i += 2;
-			mask(strStart, i);
-			continue;
-		}
-		i++;
-	}
-	return out.join("");
-};
 //#endregion
 //#region src/utils/source-files.ts
 const MAX_BUFFER$1 = 50 * 1024 * 1024;
@@ -1224,6 +1014,15 @@ const listProjectFiles = (rootDirectory) => {
 	if (findResult.error || findResult.status !== 0) return [];
 	return findResult.stdout.split("\n").filter((file) => file.length > 0).map((file) => file.replace(/^\.\//, ""));
 };
+const readAislopIgnorePatterns = (rootDirectory) => {
+	const ignorePath = path.join(rootDirectory, ".aislopignore");
+	if (!fs.existsSync(ignorePath)) return [];
+	try {
+		return fs.readFileSync(ignorePath, "utf-8").split(/\r?\n/).map((line) => line.trim()).filter((line) => line.length > 0 && !line.startsWith("#"));
+	} catch {
+		return [];
+	}
+};
 const normalizeExcludePatterns = (patterns) => {
 	return patterns.flatMap((pattern) => {
 		const p = pattern.trim();
@@ -1297,8 +1096,8 @@ const getSourceFilesWithExtras = (context, extraExtensions) => {
 };
 //#endregion
-//#region src/engines/ai-slop/abstractions.ts
-const JS_EXTS$1 = new Set([
+//#region src/utils/source-masker.ts
+const JS_EXTS$2 = new Set([
 	".ts",
 	".tsx",
 	".js",
@@ -1306,51 +1105,261 @@ const JS_EXTS$1 = new Set([
 	".mjs",
 	".cjs"
 ]);
-const THIN_WRAPPER_PATTERNS = [
-	{
-		pattern: /(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\([^)]*\)\s*(?::\s*\w[^{]*)?\{\s*\n?\s*return\s+\w+\([^)]*\);\s*\n?\s*\}/g,
-		extensions: JS_EXTS$1
-	},
-	{
-		pattern: /(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\([^)]*\)\s*(?::\s*\w[^=]*)?\s*=>\s*\w+\([^)]*\);/g,
-		extensions: JS_EXTS$1
-	},
-	{
-		pattern: /def\s+(\w+)\s*\([^)]*\)(?:\s*->[^:]*)?:\s*\n\s+return\s+\w+\([^)]*\)\s*$/gm,
-		extensions: new Set([".py"])
-	}
-];
-const AI_NAMING_PATTERNS = [/(?:helper|util|handler|process|do|handle|execute|perform)_?\d+/i, /(?:data|temp|result|value|item|obj|arr|str|num|val)\d+/];
-const FRAMEWORK_METHOD_NAMES = /^(?:setUp|tearDown|setUpClass|tearDownClass|setUpModule|tearDownModule)$/;
-const DUNDER_PATTERN = /^__\w+__$/;
-const stripParam = (p) => p.trim().split(/[:=]/)[0].trim().replace(/^[*&]+/, "");
-const paramNames = (paramsText) => new Set(paramsText.split(",").map(stripParam).filter((p) => p && p !== "self" && p !== "cls"));
-const isIdentityForward = (matchText) => {
-	const paramsMatch = matchText.match(/\(([^)]*)\)/);
-	const innerMatch = matchText.match(/(?:return\s+\w+|=>\s*\w+)\s*\(([^)]*)\)/);
-	if (!paramsMatch || !innerMatch) return false;
-	const params = paramNames(paramsMatch[1]);
-	const args = innerMatch[1].split(",").map((a) => a.trim()).filter((a) => a.length > 0);
-	if (args.length === 0) return false;
-	return args.every((a) => /^[A-Za-z_$][\w$]*$/.test(a) && params.has(a));
-};
-const isUseContextWrapper = (matchText) => /\buse\w+/.test(matchText) && /useContext\s*\(/.test(matchText);
-const detectThinWrappers = (content, relativePath, ext) => {
-	const diagnostics = [];
-	const lines = content.split("\n");
+const PY_EXTS = new Set([".py"]);
+const RB_EXTS = new Set([".rb"]);
+const PHP_EXTS = new Set([".php"]);
+const familyForExt = (ext) => {
+	if (JS_EXTS$2.has(ext)) return "js";
+	if (PY_EXTS.has(ext)) return "py";
+	if (RB_EXTS.has(ext)) return "rb";
+	if (PHP_EXTS.has(ext)) return "php";
+	return "none";
+};
+const maskStringsAndComments = (content, ext) => {
+	const family = familyForExt(ext);
+	if (family === "none") return content;
+	if (family === "js") return maskJs(content, true);
+	return maskSimple(content, family, true);
+};
+const maskComments = (content, ext) => {
+	const family = familyForExt(ext);
+	if (family === "none") return content;
+	if (family === "js") return maskJs(content, false);
+	return maskSimple(content, family, false);
+};
+const handleQuotesAndComments = (content, i, tplStack, mask, maskStrings) => {
+	const len = content.length;
+	const c = content[i];
+	const next = content[i + 1];
+	if (c === "\"" || c === "'") {
+		const strStart = i;
+		const end = consumeQuotedString(content, i, c);
+		if (maskStrings) mask(strStart + 1, end - 1);
+		return {
+			handled: true,
+			nextI: end
+		};
+	}
+	if (c === "`") {
+		const scan = consumeTemplateString(content, i + 1);
+		if (maskStrings) mask(i + 1, scan.maskEnd);
+		if (scan.openedInterp) tplStack.push(0);
+		return {
+			handled: true,
+			nextI: scan.resumeAt
+		};
+	}
+	if (c === "/" && next === "/") {
+		const strStart = i;
+		let k = i;
+		while (k < len && content[k] !== "\n") k++;
+		mask(strStart, k);
+		return {
+			handled: true,
+			nextI: k
+		};
+	}
+	if (c === "/" && next === "*") {
+		const strStart = i;
+		let k = i + 2;
+		while (k < len - 1 && !(content[k] === "*" && content[k + 1] === "/")) k++;
+		if (k < len - 1) k += 2;
+		mask(strStart, k);
+		return {
+			handled: true,
+			nextI: k
+		};
+	}
+	return {
+		handled: false,
+		nextI: i
+	};
+};
+const maskJs = (content, maskStrings) => {
+	const out = content.split("");
+	const len = content.length;
+	const tplStack = [];
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		if (tplStack.length > 0) {
+			if (c === "{") {
+				tplStack[tplStack.length - 1]++;
+				i++;
+				continue;
+			}
+			if (c === "}") {
+				if (tplStack[tplStack.length - 1] === 0) {
+					tplStack.pop();
+					const scan = consumeTemplateString(content, i + 1);
+					if (maskStrings) mask(i + 1, scan.maskEnd);
+					if (scan.openedInterp) tplStack.push(0);
+					i = scan.resumeAt;
+					continue;
+				}
+				tplStack[tplStack.length - 1]--;
+				i++;
+				continue;
+			}
+		}
+		const handled = handleQuotesAndComments(content, i, tplStack, mask, maskStrings);
+		if (handled.handled) {
+			i = handled.nextI;
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+const consumeQuotedString = (content, start, quote) => {
+	const len = content.length;
+	let i = start + 1;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === quote) return i + 1;
+		if (c === "\n") return i;
+		i++;
+	}
+	return i;
+};
+const consumeTemplateString = (content, start) => {
+	const len = content.length;
+	let i = start;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === "`") return {
+			maskEnd: i,
+			resumeAt: i + 1,
+			openedInterp: false
+		};
+		if (c === "$" && content[i + 1] === "{") return {
+			maskEnd: i,
+			resumeAt: i + 2,
+			openedInterp: true
+		};
+		i++;
+	}
+	return {
+		maskEnd: i,
+		resumeAt: i,
+		openedInterp: false
+	};
+};
+const maskSimple = (content, family, maskStrings) => {
+	const out = content.split("");
+	const len = content.length;
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		const next = content[i + 1];
+		if (family === "py" && (c === "\"" || c === "'")) {
+			if (content[i + 1] === c && content[i + 2] === c) {
+				const triple = c + c + c;
+				const end = content.indexOf(triple, i + 3);
+				const stop = end === -1 ? len : end + 3;
+				if (maskStrings) mask(i + 3, stop - 3);
+				i = stop;
+				continue;
+			}
+		}
+		if (c === "\"" || c === "'") {
+			const strStart = i;
+			i = consumeQuotedString(content, i, c);
+			if (maskStrings) mask(strStart + 1, i - 1);
+			continue;
+		}
+		if ((family === "py" || family === "rb" || family === "php") && c === "#") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "/") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "*") {
+			const strStart = i;
+			i += 2;
+			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+			if (i < len - 1) i += 2;
+			mask(strStart, i);
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+//#endregion
+//#region src/engines/ai-slop/abstractions.ts
+const JS_EXTS$1 = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs"
+]);
+const THIN_WRAPPER_PATTERNS = [
+	{
+		pattern: /(?:export\s+)?(?:async\s+)?function\s+(\w+)\s*\([^)]*\)\s*(?::\s*\w[^{]*)?\{\s*\n?\s*return\s+\w+\([^)]*\);\s*\n?\s*\}/g,
+		extensions: JS_EXTS$1
+	},
+	{
+		pattern: /(?:export\s+)?const\s+(\w+)\s*=\s*(?:async\s+)?\([^)]*\)\s*(?::\s*\w[^=]*)?\s*=>\s*\w+\([^)]*\);/g,
+		extensions: JS_EXTS$1
+	},
+	{
+		pattern: /def\s+(\w+)\s*\([^)]*\)(?:\s*->[^:]*)?:\s*\n\s+return\s+\w+\([^)]*\)\s*$/gm,
+		extensions: new Set([".py"])
+	}
+];
+const AI_NAMING_PATTERNS = [/(?:helper|util|handler|process|do|handle|execute|perform)_?\d+/i, /(?:data|temp|result|value|item|obj|arr|str|num|val)\d+/];
+const FRAMEWORK_METHOD_NAMES = /^(?:setUp|tearDown|setUpClass|tearDownClass|setUpModule|tearDownModule)$/;
+const DUNDER_PATTERN = /^__\w+__$/;
+const stripParam = (p) => p.trim().split(/[:=]/)[0].trim().replace(/^[*&]+/, "");
+const paramNames = (paramsText) => new Set(paramsText.split(",").map(stripParam).filter((p) => p && p !== "self" && p !== "cls"));
+const isIdentityForward = (matchText) => {
+	const paramsMatch = matchText.match(/\(([^)]*)\)/);
+	const innerMatch = matchText.match(/(?:return\s+\w+|=>\s*\w+)\s*\(([^)]*)\)/);
+	if (!paramsMatch || !innerMatch) return false;
+	const params = paramNames(paramsMatch[1]);
+	const args = innerMatch[1].split(",").map((a) => a.trim()).filter((a) => a.length > 0);
+	if (args.length === 0) return false;
+	return args.every((a) => /^[A-Za-z_$][\w$]*$/.test(a) && params.has(a));
+};
+const isUseContextWrapper = (matchText) => /\buse\w+/.test(matchText) && /useContext\s*\(/.test(matchText);
+const detectThinWrappers = (content, relativePath, ext) => {
+	const diagnostics = [];
+	const lines = content.split("\n");
 	for (const { pattern, extensions } of THIN_WRAPPER_PATTERNS) {
 		if (!extensions.has(ext)) continue;
 		const regex = new RegExp(pattern.source, pattern.flags);
-		let match;
-		while ((match = regex.exec(content)) !== null) {
+		for (const match of content.matchAll(regex)) {
 			const funcName = match[1];
 			const matchText = match[0];
 			const lineNumber = content.slice(0, match.index).split("\n").length;
 			if (DUNDER_PATTERN.test(funcName)) continue;
 			if (FRAMEWORK_METHOD_NAMES.test(funcName)) continue;
 			if (lineNumber >= 2) {
-				const prevLine = lines[lineNumber - 2]?.trim();
-				if (prevLine && prevLine.startsWith("@")) continue;
+				if ((lines[lineNumber - 2]?.trim())?.startsWith("@")) continue;
 			}
 			if (!isIdentityForward(matchText)) continue;
 			if (isUseContextWrapper(matchText)) continue;
@@ -1727,7 +1736,7 @@ const detectDeadCodePatterns = (content, relativePath, ext) => {
 		const nextLine = i + 1 < lines.length ? lines[i + 1]?.trim() : void 0;
 		if (JS_EXTENSIONS$4.has(ext) && /^(?:return|throw)\b/.test(trimmed) && trimmed.endsWith(";") && nextLine && nextLine.length > 0 && !isGuardedSingleLineExit(lines, i) && !isBlockCloserAfterReturn(nextLine) && !nextLine.startsWith("//") && !nextLine.startsWith("/*") && !nextLine.startsWith("case ") && !nextLine.startsWith("default:") && !nextLine.startsWith("if ") && !nextLine.startsWith("if(") && !nextLine.startsWith("else")) diagnostics.push(slop(relativePath, i + 2, "ai-slop/unreachable-code", "warning", "Code after return/throw statement is unreachable", "Remove the unreachable code or restructure the control flow", false));
 		if (/\bif\s*\(\s*(?:false|true|0|1)\s*\)/.test(trimmed) && !trimmed.startsWith("//") && !trimmed.startsWith("*") && !/["'`].*\bif\s*\(/.test(trimmed) && !/\/.*\bif\s*\(/.test(trimmed.replace(/\/\/.*$/, ""))) diagnostics.push(slop(relativePath, i + 1, "ai-slop/constant-condition", "warning", "Conditional with a constant value — likely debugging leftover", "Remove the constant condition or replace with proper logic", false));
-		if (JS_EXTENSIONS$4.has(ext) && /(?:function\s+\w+|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ")) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
+		if (JS_EXTENSIONS$4.has(ext) && /(?:function\s+\w+\s*\([^)]*\)|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ")) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
 	}
 	return diagnostics;
 };
@@ -2113,9 +2122,8 @@ const detectSwallowedExceptions = async (context) => {
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		for (const { pattern, languages, message } of SWALLOWED_EXCEPTION_PATTERNS) {
 			if (!languages.includes(ext)) continue;
-			let match;
 			const regex = new RegExp(pattern.source, pattern.flags + (pattern.flags.includes("g") ? "" : "g"));
-			while ((match = regex.exec(content)) !== null) {
+			for (const match of content.matchAll(regex)) {
 				if (isIntentionalIgnore(match[0], ext)) continue;
 				const line = content.slice(0, match.index).split("\n").length;
 				diagnostics.push({
@@ -2210,170 +2218,10 @@ const detectGoPatterns = async (context) => {
 };
 //#endregion
-//#region src/engines/ai-slop/hardcoded-config.ts
-const SOURCE_EXTENSIONS = new Set([
-	".ts",
-	".tsx",
-	".js",
-	".jsx",
-	".mjs",
-	".cjs",
-	".py",
-	".go",
-	".rs",
-	".rb",
-	".java",
-	".php"
-]);
-const URL_LITERAL_RE = /(["'`])(https?:\/\/[^"'`\s<>]+)\1/g;
-const ID_LITERAL_RE = /(["'])([A-Za-z][A-Za-z0-9_-]{15,})\1/g;
-const ENV_REFERENCE_RE = /\b(?:process\.env|import\.meta\.env|Deno\.env|os\.environ|getenv|env\()\b/i;
-const DOC_URL_CONTEXT_RE = /\b(?:docs?|documentation|homepage|repository|bugs|license|readme|source|svgUrl|pageUrl|href|link|install)\b/i;
-const URL_CONFIG_CONTEXT_RE = /\b(?:api|base[_-]?url|baseUrl|endpoint|host|origin|webhook|callback|redirect|server|service|domain|url)\b/i;
-const ENVIRONMENT_HOST_RE = /(?:^|[.-])(?:api|app|admin|auth|staging|stage|prod|dev|sandbox|webhook|internal)(?:[.-]|$)|^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)$/i;
-const ID_CONTEXT_RE = /(?:^|[^A-Za-z0-9])(?:api[_-]?key|client[_-]?id|project[_-]?id|org(?:anization)?[_-]?id|workspace[_-]?id|tenant[_-]?id|price[_-]?id|product[_-]?id|customer[_-]?id|subscription[_-]?id|account[_-]?id|app[_-]?id|key|token|secret)(?:$|[^A-Za-z0-9])/i;
-const MIGRATION_PATH_RE$1 = /(?:^|[\\/])(?:migrations?|db[\\/]migrate)[\\/]/i;
-const PLACEHOLDER_HOSTS = new Set([
-	"example.com",
-	"example.org",
-	"example.net"
-]);
-const LOOPBACK_HOSTS = new Set([
-	"localhost",
-	"127.0.0.1",
-	"0.0.0.0",
-	"::1"
-]);
-const VENDOR_API_DOMAINS = [
-	"github.com",
-	"githubusercontent.com",
-	"googleapis.com",
-	"accounts.google.com",
-	"stripe.com",
-	"openai.com",
-	"anthropic.com",
-	"slack.com",
-	"twilio.com",
-	"sendgrid.com",
-	"mailgun.net",
-	"cloudflare.com",
-	"discord.com",
-	"telegram.org",
-	"login.microsoftonline.com",
-	"graph.microsoft.com",
-	"twitter.com",
-	"x.com",
-	"twimg.com",
-	"t.co",
-	"api.telegram.org"
-];
-const isVendorApiHost = (host) => VENDOR_API_DOMAINS.some((d) => host === d || host.endsWith(`.${d}`));
-const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
-const HARDCODED_URL_FINDING = {
-	rule: "ai-slop/hardcoded-url",
-	message: "Hardcoded environment URL in production code",
-	help: "Move deployment-specific URLs to environment variables or a typed config module. Keep only stable documentation/public links inline."
-};
-const HARDCODED_ID_FINDING = {
-	rule: "ai-slop/hardcoded-id",
-	message: "Hardcoded provider/project ID in production code",
-	help: "Move provider IDs, tenant IDs, price IDs, and similar deployment-specific identifiers to env/config so agents do not bake one environment into source."
-};
-const makeFinding = (filePath, line, spec) => ({
-	filePath,
-	engine: "ai-slop",
-	rule: spec.rule,
-	severity: "warning",
-	message: spec.message,
-	help: spec.help,
-	line,
-	column: 0,
-	category: "AI Slop",
-	fixable: false
-});
-const isCommentOnlyLine = (trimmed) => trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*");
-const commentStartsBefore = (line, index, ext) => {
-	const prefix = line.slice(0, index);
-	if (ext === ".py" || ext === ".rb") return prefix.includes("#");
-	if (ext === ".php") return prefix.includes("//") || prefix.includes("#");
-	return prefix.includes("//") || prefix.includes("/*");
-};
-const safeUrlHost = (urlText) => {
-	try {
-		return new URL(urlText).hostname.toLowerCase();
-	} catch {
-		return null;
-	}
-};
-const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
-const shouldFlagUrlLiteral = (line, urlText) => {
-	if (isEnvBackedLine(line)) return false;
-	const host = safeUrlHost(urlText);
-	if (!host) return false;
-	if (PLACEHOLDER_HOSTS.has(host)) return false;
-	if (LOOPBACK_HOSTS.has(host)) return false;
-	if (isVendorApiHost(host)) return false;
-	if (DOC_URL_CONTEXT_RE.test(line) && !ENVIRONMENT_HOST_RE.test(host)) return false;
-	return URL_CONFIG_CONTEXT_RE.test(line) || ENVIRONMENT_HOST_RE.test(host);
-};
-const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+$/;
-const hasUsefulIdShape = (value) => {
-	if (PLACEHOLDER_ID_RE.test(value)) return false;
-	if (ENV_VAR_NAME_RE.test(value)) return false;
-	if (/^https?:\/\//i.test(value)) return false;
-	if (/^[A-Za-z]+$/.test(value)) return false;
-	return /[0-9]/.test(value);
-};
-const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
-	const diagnostics = [];
-	if (isCommentOnlyLine(line.trim())) return diagnostics;
-	URL_LITERAL_RE.lastIndex = 0;
-	let urlMatch;
-	while ((urlMatch = URL_LITERAL_RE.exec(line)) !== null) {
-		const urlText = urlMatch[2];
-		if (commentStartsBefore(line, urlMatch.index, ext)) continue;
-		if (!shouldFlagUrlLiteral(line, urlText)) continue;
-		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_URL_FINDING));
-	}
-	if (!ID_CONTEXT_RE.test(line) || isEnvBackedLine(line) || DOC_URL_CONTEXT_RE.test(line)) return diagnostics;
-	ID_LITERAL_RE.lastIndex = 0;
-	let idMatch;
-	while ((idMatch = ID_LITERAL_RE.exec(line)) !== null) {
-		const value = idMatch[2];
-		if (commentStartsBefore(line, idMatch.index, ext)) continue;
-		if (!hasUsefulIdShape(value)) continue;
-		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_ID_FINDING));
-	}
-	return diagnostics;
-};
-const scanFileForConfigLiterals = (content, relativePath, ext) => {
-	if (!SOURCE_EXTENSIONS.has(ext)) return [];
-	if (isNonProductionPath(relativePath)) return [];
-	if (MIGRATION_PATH_RE$1.test(relativePath)) return [];
-	return content.split("\n").flatMap((line, index) => scanLineForConfigLiterals(line, relativePath, ext, index + 1));
-};
-const detectHardcodedConfigLiterals = async (context) => {
-	const diagnostics = [];
-	for (const filePath of getSourceFiles(context)) {
-		if (isAutoGenerated(filePath)) continue;
-		let content;
-		try {
-			content = fs.readFileSync(filePath, "utf-8");
-		} catch {
-			continue;
-		}
-		const relativePath = path.relative(context.rootDirectory, filePath);
-		const ext = path.extname(filePath);
-		diagnostics.push(...scanFileForConfigLiterals(maskComments(content, ext), relativePath, ext));
-	}
-	return diagnostics;
-};
-//#endregion
-//#region src/engines/ai-slop/js-import-aliases.ts
-const TS_CONFIG_FILES = ["tsconfig.json", "jsconfig.json"];
-const JS_RESOLUTION_EXTENSIONS = [
-	"",
+//#region src/engines/ai-slop/js-import-aliases.ts
+const TS_CONFIG_FILES = ["tsconfig.json", "jsconfig.json"];
+const JS_RESOLUTION_EXTENSIONS = [
+	"",
 	".ts",
 	".tsx",
 	".js",
@@ -2466,15 +2314,18 @@ const readWorkspaceGlobs = (rootDir, rootPkg) => {
 	}
 	return globs;
 };
+const readWorkspaceEntries = (dir) => {
+	try {
+		return fs.readdirSync(dir, { withFileTypes: true });
+	} catch {
+		return [];
+	}
+};
 const expandWorkspaceDirs = (rootDir, globs) => {
 	const dirs = [];
 	for (const glob of globs) if (glob.endsWith("/*")) {
 		const parent = path.join(rootDir, glob.slice(0, -2));
-		try {
-			for (const entry of fs.readdirSync(parent, { withFileTypes: true })) if (entry.isDirectory()) dirs.push(path.join(parent, entry.name));
-		} catch {
-			continue;
-		}
+		for (const entry of readWorkspaceEntries(parent)) if (entry.isDirectory()) dirs.push(path.join(parent, entry.name));
 	} else if (!glob.includes("*")) dirs.push(path.join(rootDir, glob));
 	return dirs;
 };
@@ -3061,21 +2912,194 @@ const checkPyImport = (spec, manifest) => {
 	if ((PYTHON_IMPORT_TO_PIP[root] ?? PYTHON_IMPORT_TO_PIP[normalized])?.some((dist) => manifest.pyDeps.has(normalizePyName(dist)))) return null;
 	return root;
 };
-const detectHallucinatedImports = async (context) => {
-	const rootPkg = readJson(path.join(context.rootDirectory, "package.json"));
-	const workspaceDirs = collectWorkspaceDirs(context.rootDirectory, rootPkg);
-	const manifest = loadManifest(context.rootDirectory);
-	if (!manifest.hasJsManifest && !manifest.hasPyManifest) return [];
-	const tsAliasMatchers = manifest.hasJsManifest ? collectTsPathAliases(context.rootDirectory, workspaceDirs) : [];
+const detectHallucinatedImports = async (context) => {
+	const rootPkg = readJson(path.join(context.rootDirectory, "package.json"));
+	const workspaceDirs = collectWorkspaceDirs(context.rootDirectory, rootPkg);
+	const manifest = loadManifest(context.rootDirectory);
+	if (!manifest.hasJsManifest && !manifest.hasPyManifest) return [];
+	const tsAliasMatchers = manifest.hasJsManifest ? collectTsPathAliases(context.rootDirectory, workspaceDirs) : [];
+	const diagnostics = [];
+	const files = getSourceFiles(context);
+	for (const filePath of files) {
+		const ext = path.extname(filePath);
+		const isJs = JS_EXTENSIONS$2.has(ext);
+		const isPy = PY_EXTENSIONS$2.has(ext);
+		if (!isJs && !isPy) continue;
+		if (isJs && !manifest.hasJsManifest) continue;
+		if (isPy && !manifest.hasPyManifest) continue;
+		if (isAutoGenerated(filePath)) continue;
+		let content;
+		try {
+			content = fs.readFileSync(filePath, "utf-8");
+		} catch {
+			continue;
+		}
+		const relPath = path.relative(context.rootDirectory, filePath);
+		if (isNonProductionPath(relPath)) continue;
+		const imports = isJs ? extractJsImports(content) : extractPyImports(content);
+		for (const { spec, line } of imports) {
+			const hallucinated = isJs ? checkJsImport(spec, manifest, tsAliasMatchers) : checkPyImport(spec, manifest);
+			if (!hallucinated) continue;
+			const manifestLabel = isJs ? "package.json" : "requirements.txt / pyproject.toml / Pipfile";
+			diagnostics.push({
+				filePath: relPath,
+				engine: "ai-slop",
+				rule: "ai-slop/hallucinated-import",
+				severity: "error",
+				message: `Imports "${hallucinated}" but it's not declared in ${manifestLabel}${isPy ? " and isn't Python stdlib" : ""}`,
+				help: "Most often this is an LLM hallucinating a plausible-sounding package name. Either add the package to your manifest, or correct the import.",
+				line,
+				column: 1,
+				category: "AI Slop",
+				fixable: false
+			});
+		}
+	}
+	return diagnostics;
+};
+//#endregion
+//#region src/engines/ai-slop/hardcoded-config.ts
+const SOURCE_EXTENSIONS = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs",
+	".py",
+	".go",
+	".rs",
+	".rb",
+	".java",
+	".php"
+]);
+const URL_LITERAL_RE = /(["'`])(https?:\/\/[^"'`\s<>]+)\1/g;
+const ID_LITERAL_RE = /(["'])([A-Za-z][A-Za-z0-9_-]{15,})\1/g;
+const ENV_REFERENCE_RE = /\b(?:process\.env|import\.meta\.env|Deno\.env|os\.environ|getenv|env\()\b/i;
+const DOC_URL_CONTEXT_RE = /\b(?:docs?|documentation|homepage|repository|bugs|license|readme|source|svgUrl|pageUrl|href|link|install)\b/i;
+const URL_CONFIG_CONTEXT_RE = /\b(?:api|base[_-]?url|baseUrl|endpoint|host|origin|webhook|callback|redirect|server|service|domain|url)\b/i;
+const ENVIRONMENT_HOST_RE = /(?:^|[.-])(?:api|app|admin|auth|staging|stage|prod|dev|sandbox|webhook|internal)(?:[.-]|$)|^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)$/i;
+const ID_CONTEXT_RE = /(?:^|[^A-Za-z0-9])(?:api[_-]?key|client[_-]?id|project[_-]?id|org(?:anization)?[_-]?id|workspace[_-]?id|tenant[_-]?id|price[_-]?id|product[_-]?id|customer[_-]?id|subscription[_-]?id|account[_-]?id|app[_-]?id|key|token|secret)(?:$|[^A-Za-z0-9])/i;
+const MIGRATION_PATH_RE$1 = /(?:^|[\\/])(?:migrations?|db[\\/]migrate)[\\/]/i;
+const PLACEHOLDER_HOSTS = new Set([
+	"example.com",
+	"example.org",
+	"example.net"
+]);
+const LOOPBACK_HOSTS = new Set([
+	"localhost",
+	"127.0.0.1",
+	"0.0.0.0",
+	"::1"
+]);
+const VENDOR_API_DOMAINS = [
+	"github.com",
+	"githubusercontent.com",
+	"googleapis.com",
+	"accounts.google.com",
+	"stripe.com",
+	"openai.com",
+	"anthropic.com",
+	"slack.com",
+	"twilio.com",
+	"sendgrid.com",
+	"mailgun.net",
+	"cloudflare.com",
+	"discord.com",
+	"telegram.org",
+	"login.microsoftonline.com",
+	"graph.microsoft.com",
+	"twitter.com",
+	"x.com",
+	"twimg.com",
+	"t.co",
+	"api.telegram.org"
+];
+const isVendorApiHost = (host) => VENDOR_API_DOMAINS.some((d) => host === d || host.endsWith(`.${d}`));
+const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
+const HARDCODED_URL_FINDING = {
+	rule: "ai-slop/hardcoded-url",
+	message: "Hardcoded environment URL in production code",
+	help: "Move deployment-specific URLs to environment variables or a typed config module. Keep only stable documentation/public links inline."
+};
+const HARDCODED_ID_FINDING = {
+	rule: "ai-slop/hardcoded-id",
+	message: "Hardcoded provider/project ID in production code",
+	help: "Move provider IDs, tenant IDs, price IDs, and similar deployment-specific identifiers to env/config so agents do not bake one environment into source."
+};
+const makeFinding = (filePath, line, spec) => ({
+	filePath,
+	engine: "ai-slop",
+	rule: spec.rule,
+	severity: "warning",
+	message: spec.message,
+	help: spec.help,
+	line,
+	column: 0,
+	category: "AI Slop",
+	fixable: false
+});
+const isCommentOnlyLine = (trimmed) => trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*");
+const commentStartsBefore = (line, index, ext) => {
+	const prefix = line.slice(0, index);
+	if (ext === ".py" || ext === ".rb") return prefix.includes("#");
+	if (ext === ".php") return prefix.includes("//") || prefix.includes("#");
+	return prefix.includes("//") || prefix.includes("/*");
+};
+const safeUrlHost = (urlText) => {
+	try {
+		return new URL(urlText).hostname.toLowerCase();
+	} catch {
+		return null;
+	}
+};
+const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
+const shouldFlagUrlLiteral = (line, urlText) => {
+	if (isEnvBackedLine(line)) return false;
+	const host = safeUrlHost(urlText);
+	if (!host) return false;
+	if (PLACEHOLDER_HOSTS.has(host)) return false;
+	if (LOOPBACK_HOSTS.has(host)) return false;
+	if (isVendorApiHost(host)) return false;
+	if (DOC_URL_CONTEXT_RE.test(line) && !ENVIRONMENT_HOST_RE.test(host)) return false;
+	return URL_CONFIG_CONTEXT_RE.test(line) || ENVIRONMENT_HOST_RE.test(host);
+};
+const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+$/;
+const hasUsefulIdShape = (value) => {
+	if (PLACEHOLDER_ID_RE.test(value)) return false;
+	if (ENV_VAR_NAME_RE.test(value)) return false;
+	if (/^https?:\/\//i.test(value)) return false;
+	if (/^[A-Za-z]+$/.test(value)) return false;
+	return /[0-9]/.test(value);
+};
+const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
+	const diagnostics = [];
+	if (isCommentOnlyLine(line.trim())) return diagnostics;
+	for (const urlMatch of line.matchAll(URL_LITERAL_RE)) {
+		const urlText = urlMatch[2];
+		if (commentStartsBefore(line, urlMatch.index, ext)) continue;
+		if (!shouldFlagUrlLiteral(line, urlText)) continue;
+		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_URL_FINDING));
+	}
+	if (!ID_CONTEXT_RE.test(line) || isEnvBackedLine(line) || DOC_URL_CONTEXT_RE.test(line)) return diagnostics;
+	for (const idMatch of line.matchAll(ID_LITERAL_RE)) {
+		const value = idMatch[2];
+		if (commentStartsBefore(line, idMatch.index, ext)) continue;
+		if (!hasUsefulIdShape(value)) continue;
+		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_ID_FINDING));
+	}
+	return diagnostics;
+};
+const scanFileForConfigLiterals = (content, relativePath, ext) => {
+	if (!SOURCE_EXTENSIONS.has(ext)) return [];
+	if (isNonProductionPath(relativePath)) return [];
+	if (MIGRATION_PATH_RE$1.test(relativePath)) return [];
+	return content.split("\n").flatMap((line, index) => scanLineForConfigLiterals(line, relativePath, ext, index + 1));
+};
+const detectHardcodedConfigLiterals = async (context) => {
 	const diagnostics = [];
-	const files = getSourceFiles(context);
-	for (const filePath of files) {
-		const ext = path.extname(filePath);
-		const isJs = JS_EXTENSIONS$2.has(ext);
-		const isPy = PY_EXTENSIONS$2.has(ext);
-		if (!isJs && !isPy) continue;
-		if (isJs && !manifest.hasJsManifest) continue;
-		if (isPy && !manifest.hasPyManifest) continue;
+	for (const filePath of getSourceFiles(context)) {
 		if (isAutoGenerated(filePath)) continue;
 		let content;
 		try {
@@ -3083,30 +3107,92 @@ const detectHallucinatedImports = async (context) => {
 		} catch {
 			continue;
 		}
-		const relPath = path.relative(context.rootDirectory, filePath);
-		if (isNonProductionPath(relPath)) continue;
-		const imports = isJs ? extractJsImports(content) : extractPyImports(content);
-		for (const { spec, line } of imports) {
-			const hallucinated = isJs ? checkJsImport(spec, manifest, tsAliasMatchers) : checkPyImport(spec, manifest);
-			if (!hallucinated) continue;
-			const manifestLabel = isJs ? "package.json" : "requirements.txt / pyproject.toml / Pipfile";
-			diagnostics.push({
-				filePath: relPath,
-				engine: "ai-slop",
-				rule: "ai-slop/hallucinated-import",
-				severity: "error",
-				message: `Imports "${hallucinated}" but it's not declared in ${manifestLabel}${isPy ? " and isn't Python stdlib" : ""}`,
-				help: "Most often this is an LLM hallucinating a plausible-sounding package name. Either add the package to your manifest, or correct the import.",
-				line,
-				column: 1,
-				category: "AI Slop",
-				fixable: false
-			});
-		}
+		const relativePath = path.relative(context.rootDirectory, filePath);
+		const ext = path.extname(filePath);
+		diagnostics.push(...scanFileForConfigLiterals(maskComments(content, ext), relativePath, ext));
 	}
 	return diagnostics;
 };
+//#endregion
+//#region src/utils/suppress.ts
+const DIRECTIVE_RE = /(?:\/\/|\/\*|#|<!--|\*)\s*aislop-ignore-(next-line|line|file)\b([^\n]*)/;
+const isAislopDirectiveLine = (line) => DIRECTIVE_RE.test(line);
+const parseDirective = (rest) => {
+	const tokens = rest.split("--")[0].match(/[A-Za-z0-9@][\w@/.-]*/g) ?? [];
+	if (tokens.length === 0) return {
+		rules: /* @__PURE__ */ new Set(),
+		all: true
+	};
+	return {
+		rules: new Set(tokens),
+		all: false
+	};
+};
+const covers = (directive, rule) => directive.all || [...directive.rules].some((r) => r === rule || rule.endsWith(`/${r}`));
+const parseFileDirectives = (content) => {
+	const lines = content.split(/\r?\n/);
+	const file = [];
+	const byLine = /* @__PURE__ */ new Map();
+	const addLine = (target, directive) => {
+		const list = byLine.get(target) ?? [];
+		list.push(directive);
+		byLine.set(target, list);
+	};
+	for (let i = 0; i < lines.length; i++) {
+		const match = DIRECTIVE_RE.exec(lines[i]);
+		if (!match) continue;
+		const scope = match[1];
+		const directive = parseDirective(match[2] ?? "");
+		if (scope === "file") file.push(directive);
+		else if (scope === "next-line") addLine(i + 2, directive);
+		else addLine(i + 1, directive);
+	}
+	return {
+		file,
+		byLine
+	};
+};
+const applySuppressions = (results, rootDirectory) => {
+	const cache = /* @__PURE__ */ new Map();
+	let suppressedCount = 0;
+	const load = (filePath) => {
+		const cached = cache.get(filePath);
+		if (cached !== void 0) return cached;
+		const absolute = path.isAbsolute(filePath) ? filePath : path.join(rootDirectory, filePath);
+		let parsed = null;
+		try {
+			parsed = parseFileDirectives(fs.readFileSync(absolute, "utf-8"));
+		} catch {
+			parsed = null;
+		}
+		cache.set(filePath, parsed);
+		return parsed;
+	};
+	const isSuppressed = (diagnostic) => {
+		const directives = load(diagnostic.filePath);
+		if (!directives) return false;
+		if (directives.file.some((d) => covers(d, diagnostic.rule))) return true;
+		return (directives.byLine.get(diagnostic.line) ?? []).some((d) => covers(d, diagnostic.rule));
+	};
+	return {
+		results: results.map((result) => {
+			const kept = result.diagnostics.filter((diagnostic) => {
+				if (isSuppressed(diagnostic)) {
+					suppressedCount += 1;
+					return false;
+				}
+				return true;
+			});
+			return {
+				...result,
+				diagnostics: kept
+			};
+		}),
+		suppressedCount
+	};
+};
 //#endregion
 //#region src/engines/ai-slop/comment-blocks.ts
 const stripJsdocLine = (line) => line.replace(/^\s*\/\*\*+\s?/, "").replace(/\s*\*+\/\s*$/, "").replace(/^\s*\*\s?/, "").trim();
@@ -3130,6 +3216,7 @@ const getCommentSyntax = (ext) => {
 };
 const getMatchedLinePrefix = (line, syntax) => {
 	const trimmed = line.trimStart();
+	if (isAislopDirectiveLine(trimmed)) return null;
 	for (const prefix of syntax.linePrefixes) {
 		if (!trimmed.startsWith(prefix)) continue;
 		if (prefix === "#" && trimmed.startsWith("#!")) return null;
@@ -3929,9 +4016,7 @@ const isLogOnlyBody = (body) => {
 };
 const detectJsSilentRecovery = (content, relPath) => {
 	const out = [];
-	CATCH_HEAD_RE.lastIndex = 0;
-	let match;
-	while ((match = CATCH_HEAD_RE.exec(content)) !== null) {
+	for (const match of content.matchAll(CATCH_HEAD_RE)) {
 		const body = extractCatchBody(content, match.index + match[0].length - 1);
 		if (body === null) continue;
 		if (!isLogOnlyBody(body)) continue;
@@ -4108,18 +4193,22 @@ const extractPyImportedSymbols = (lines) => {
 			}
 			continue;
 		}
-		const importMatch = trimmed.match(/^import\s+([\w.]+)(?:\s+as\s+(\w+))?/);
+		const importMatch = trimmed.match(/^import\s+(.+)/);
 		if (importMatch) {
 			importLines.add(i);
-			const alias = importMatch[2];
-			if (alias && alias === importMatch[1]) continue;
-			const simpleName = (alias ?? importMatch[1]).split(".")[0];
-			if (simpleName && /^\w+$/.test(simpleName)) symbols.push({
-				name: simpleName,
-				line: i + 1,
-				isDefault: false,
-				isNamespace: true
-			});
+			for (const clause of importMatch[1].replace(/#.*$/, "").split(",")) {
+				const clauseMatch = clause.trim().match(/^([\w.]+)(?:\s+as\s+(\w+))?/);
+				if (!clauseMatch) continue;
+				const alias = clauseMatch[2];
+				if (alias && alias === clauseMatch[1]) continue;
+				const simpleName = (alias ?? clauseMatch[1]).split(".")[0];
+				if (simpleName && /^\w+$/.test(simpleName)) symbols.push({
+					name: simpleName,
+					line: i + 1,
+					isDefault: false,
+					isNamespace: true
+				});
+			}
 		}
 	}
 	return {
@@ -4129,8 +4218,7 @@ const extractPyImportedSymbols = (lines) => {
 };
 const isSymbolUsed = (name, content, importLines, lines) => {
 	const pattern = new RegExp(`\\b${name}\\b`, "g");
-	let match;
-	while ((match = pattern.exec(content)) !== null) {
+	for (const match of content.matchAll(pattern)) {
 		const lineIndex = content.slice(0, match.index).split("\n").length - 1;
 		if (!importLines.has(lineIndex)) return true;
 	}
@@ -4231,6 +4319,18 @@ const aiSlopEngine = {
 //#endregion
 //#region src/engines/architecture/matchers.ts
+const REGEX_SPECIAL_CHARS = new Set([
+	".",
+	"+",
+	"^",
+	"$",
+	"{",
+	"}",
+	"(",
+	")",
+	"|",
+	"\\"
+]);
 const minimatch = (filePath, pattern) => {
 	let regex = "";
 	let i = 0;
@@ -4255,7 +4355,7 @@ const minimatch = (filePath, pattern) => {
 				regex += pattern.slice(i, closeIndex + 1);
 				i = closeIndex + 1;
 			}
-		} else if (".+^${}()|\\".includes(ch)) {
+		} else if (REGEX_SPECIAL_CHARS.has(ch)) {
 			regex += `\\${ch}`;
 			i++;
 		} else {
@@ -4275,27 +4375,15 @@ const extractImports = (content, ext) => {
 		".mjs",
 		".cjs"
 	].includes(ext)) {
-		const esPattern = /(?:import|from)\s+["']([^"']+)["']/g;
-		let match;
-		while ((match = esPattern.exec(content)) !== null) imports.push(match[1]);
-		const reqPattern = /require\s*\(\s*["']([^"']+)["']\s*\)/g;
-		while ((match = reqPattern.exec(content)) !== null) imports.push(match[1]);
-	}
-	if (ext === ".py") {
-		const pyPattern = /(?:from|import)\s+([\w.]+)/g;
-		let match;
-		while ((match = pyPattern.exec(content)) !== null) imports.push(match[1]);
+		for (const match of content.matchAll(/(?:import|from)\s+["']([^"']+)["']/g)) imports.push(match[1]);
+		for (const match of content.matchAll(/require\s*\(\s*["']([^"']+)["']\s*\)/g)) imports.push(match[1]);
 	}
+	if (ext === ".py") for (const match of content.matchAll(/(?:from|import)\s+([\w.]+)/g)) imports.push(match[1]);
 	if (ext === ".go") {
-		const goSingleImport = /^\s*import\s+"([^"]+)"/gm;
-		let match;
-		while ((match = goSingleImport.exec(content)) !== null) imports.push(match[1]);
-		const goMultiImport = /import\s*\(([^)]*)\)/gs;
-		while ((match = goMultiImport.exec(content)) !== null) {
+		for (const match of content.matchAll(/^\s*import\s+"([^"]+)"/gm)) imports.push(match[1]);
+		for (const match of content.matchAll(/import\s*\(([^)]*)\)/gs)) {
 			const block = match[1];
-			const pkgPattern = /"([^"]+)"/g;
-			let pkgMatch;
-			while ((pkgMatch = pkgPattern.exec(block)) !== null) imports.push(pkgMatch[1]);
+			for (const pkgMatch of block.matchAll(/"([^"]+)"/g)) imports.push(pkgMatch[1]);
 		}
 	}
 	return imports;
@@ -4422,10 +4510,10 @@ const architectureEngine = {
 //#endregion
 //#region src/engines/code-quality/function-boundaries.ts
 const PYTHON_CONTROL_FLOW_RE = /^\s*(?:if|for|while|with|try|except|else|elif|finally|def|class)\b/;
-const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
-const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
-const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
-const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
+const ARROW_BLOCK_RE = /=>\s*\{/;
+const ARROW_END_RE = /=>\s*$/;
+const BRACE_START_RE = /^\s*\{/;
+const NEW_STATEMENT_RE = /^(?:export\s+)?(?:const|let|var|function|class)\s/;
 const isControlFlowBrace = (lineText, braceIndex) => {
 	const before = lineText.substring(0, braceIndex).trimEnd();
 	if (before.endsWith(")")) return true;
@@ -4611,14 +4699,14 @@ const countTemplateLines = (bodyLines) => {
 	let templateLineCount = 0;
 	for (const line of bodyLines) {
 		const startedInside = insideTemplate;
-		let escape = false;
+		let escaped = false;
 		for (const ch of line) {
-			if (escape) {
-				escape = false;
+			if (escaped) {
+				escaped = false;
 				continue;
 			}
 			if (ch === "\\") {
-				escape = true;
+				escaped = true;
 				continue;
 			}
 			if (ch === "`") insideTemplate = !insideTemplate;
@@ -5662,9 +5750,7 @@ const runRuffFormat = async (context) => {
 };
 const parseRuffFormatOutput = (output, rootDir) => {
 	const diagnostics = [];
-	const filePattern = /^--- (.+)$/gm;
-	let match;
-	while ((match = filePattern.exec(output)) !== null) {
+	for (const match of output.matchAll(/^--- (.+)$/gm)) {
 		const filePath = getRuffDiagnosticPath(rootDir, match[1]);
 		diagnostics.push({
 			filePath,
@@ -5698,10 +5784,10 @@ const formatEngine = {
 		const { languages, installedTools } = context;
 		const promises = [];
 		if (languages.includes("typescript") || languages.includes("javascript")) promises.push(runBiomeFormat(context));
-		if (languages.includes("python") && installedTools["ruff"]) promises.push(runRuffFormat(context));
-		if (languages.includes("go") && installedTools["gofmt"]) promises.push(runGofmt(context));
-		if (languages.includes("rust") && installedTools["rustfmt"]) promises.push(runGenericFormatter(context, "rust"));
-		if (languages.includes("ruby") && installedTools["rubocop"]) promises.push(runGenericFormatter(context, "ruby"));
+		if (languages.includes("python") && installedTools.ruff) promises.push(runRuffFormat(context));
+		if (languages.includes("go") && installedTools.gofmt) promises.push(runGofmt(context));
+		if (languages.includes("rust") && installedTools.rustfmt) promises.push(runGenericFormatter(context, "rust"));
+		if (languages.includes("ruby") && installedTools.rubocop) promises.push(runGenericFormatter(context, "ruby"));
 		if (languages.includes("php") && installedTools["php-cs-fixer"]) promises.push(runGenericFormatter(context, "php"));
 		const results = await Promise.allSettled(promises);
 		for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
@@ -6137,6 +6223,8 @@ const createOxlintConfig = (options) => {
 	if (options.mode === "fix") {
 		rules["no-unused-vars"] = "off";
 		rules["react-hooks/exhaustive-deps"] = "off";
+		rules["jsx-a11y/no-aria-hidden-on-focusable"] = "off";
+		rules["unicorn/no-useless-fallback-in-spread"] = "off";
 	}
 	const plugins = [
 		"import",
@@ -6301,9 +6389,7 @@ const collectAmbientGlobals = (rootDir) => {
 		if (!relativePath.endsWith(".d.ts")) continue;
 		const content = readTextFile$1(path.join(rootDir, relativePath));
 		if (!content) continue;
-		AMBIENT_GLOBAL_RE.lastIndex = 0;
-		let match;
-		while ((match = AMBIENT_GLOBAL_RE.exec(content)) !== null) globals.add(match[1]);
+		for (const match of content.matchAll(AMBIENT_GLOBAL_RE)) globals.add(match[1]);
 	}
 	const deps = collectPackageNames(rootDir);
 	if (deps.has("@types/bun") || deps.has("bun-types")) globals.add("Bun");
@@ -6654,10 +6740,10 @@ const lintEngine = {
 			if (context.config.lint.typecheck) promises.push(import("./typecheck-wVSohmOX.js").then((mod) => mod.runTypecheck(context)));
 		}
 		if (context.frameworks.includes("expo")) promises.push(Promise.resolve().then(() => expo_doctor_exports).then((mod) => mod.runExpoDoctor(context)));
-		if (languages.includes("python") && installedTools["ruff"]) promises.push(runRuffLint(context));
+		if (languages.includes("python") && installedTools.ruff) promises.push(runRuffLint(context));
 		if (languages.includes("go") && installedTools["golangci-lint"]) promises.push(runGolangciLint(context));
-		if (languages.includes("rust") && installedTools["cargo"]) promises.push(runGenericLinter(context, "rust"));
-		if (languages.includes("ruby") && installedTools["rubocop"]) promises.push(runGenericLinter(context, "ruby"));
+		if (languages.includes("rust") && installedTools.cargo) promises.push(runGenericLinter(context, "rust"));
+		if (languages.includes("ruby") && installedTools.rubocop) promises.push(runGenericLinter(context, "ruby"));
 		const results = await Promise.allSettled(promises);
 		for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
 		return {
@@ -6687,7 +6773,7 @@ const runDependencyAudit = async (context) => {
 		else if (fs.existsSync(path.join(context.rootDirectory, "package-lock.json")) || fs.existsSync(path.join(context.rootDirectory, "package.json"))) promises.push(runNpmAudit(context.rootDirectory, timeout));
 	}
 	if (context.languages.includes("python") && context.installedTools["pip-audit"]) promises.push(runPipAudit(context.rootDirectory, timeout));
-	if (context.languages.includes("go") && context.installedTools["govulncheck"]) promises.push(runGovulncheck(context.rootDirectory, timeout));
+	if (context.languages.includes("go") && context.installedTools.govulncheck) promises.push(runGovulncheck(context.rootDirectory, timeout));
 	if (context.languages.includes("rust")) promises.push(runCargoAudit(context.rootDirectory, timeout));
 	const results = await Promise.allSettled(promises);
 	for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
@@ -6792,9 +6878,12 @@ const parseLegacyAdvisories = (advisories, source) => {
 	for (const [key, advisory] of Object.entries(advisories)) upsertVuln(bucket, advisory.module_name ?? advisory.name ?? advisory.package ?? key, (advisory.severity ?? "moderate").toLowerCase(), advisory.recommendation ?? advisory.title ?? "");
 	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
+const carriesAdvisory = (vulnerability) => Array.isArray(vulnerability.via) && vulnerability.via.some((entry) => entry !== null && typeof entry === "object");
 const parseModernVulnerabilities = (vulnerabilities, source) => {
 	const bucket = /* @__PURE__ */ new Map();
+	const hasRootCauses = Object.values(vulnerabilities).some(carriesAdvisory);
 	for (const [packageName, vulnerability] of Object.entries(vulnerabilities)) {
+		if (hasRootCauses && !carriesAdvisory(vulnerability)) continue;
 		const severity = (vulnerability.severity ?? "moderate").toLowerCase();
 		const fixAvailable = vulnerability.fixAvailable;
 		const isDirect = vulnerability.isDirect === true;
@@ -7082,8 +7171,7 @@ const detectRiskyConstructs = async (context) => {
 			if (!extensions.includes(ext)) continue;
 			if (isMigrationOrSeeder && name === "sql-injection") continue;
 			const regex = new RegExp(pattern.source, pattern.flags);
-			let match;
-			while ((match = regex.exec(masked)) !== null) {
+			for (const match of masked.matchAll(regex)) {
 				const line = content.slice(0, match.index).split("\n").length;
 				if (name === "innerhtml") {
 					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
@@ -7215,8 +7303,7 @@ const scanSecrets = async (context) => {
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		for (const { pattern, name, keywordPrefixed } of SECRET_PATTERNS) {
 			const regex = new RegExp(pattern.source, pattern.flags);
-			let match;
-			while ((match = regex.exec(content)) !== null) {
+			for (const match of content.matchAll(regex)) {
 				if (isPlaceholderValue(match[1] ?? match[0])) continue;
 				if (keywordPrefixed && isInsideStringLiteral(content, match.index)) continue;
 				const line = content.slice(0, match.index).split("\n").length;
@@ -7337,6 +7424,64 @@ const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoot
 //#endregion
 //#region src/utils/discover.ts
+const UNSUPPORTED_CODE_EXTENSIONS = {
+	".c": "C/C++",
+	".h": "C/C++",
+	".cc": "C/C++",
+	".cpp": "C/C++",
+	".cxx": "C/C++",
+	".hpp": "C/C++",
+	".hh": "C/C++",
+	".hxx": "C/C++",
+	".cs": "C#",
+	".swift": "Swift",
+	".kt": "Kotlin",
+	".kts": "Kotlin",
+	".m": "Objective-C",
+	".mm": "Objective-C",
+	".scala": "Scala",
+	".dart": "Dart",
+	".ex": "Elixir",
+	".exs": "Elixir",
+	".erl": "Erlang",
+	".hs": "Haskell",
+	".clj": "Clojure",
+	".cljs": "Clojure",
+	".lua": "Lua",
+	".jl": "Julia",
+	".zig": "Zig",
+	".nim": "Nim",
+	".ml": "OCaml",
+	".fs": "F#",
+	".sol": "Solidity",
+	".groovy": "Groovy"
+};
+const analyzeCoverage = (rootDirectory, excludePatterns = []) => {
+	const allFiles = listProjectFiles(rootDirectory);
+	const supportedFiles = filterProjectFiles(rootDirectory, allFiles, [], excludePatterns).length;
+	const counts = /* @__PURE__ */ new Map();
+	let unsupportedFiles = 0;
+	const candidates = filterProjectFiles(rootDirectory, allFiles, Object.keys(UNSUPPORTED_CODE_EXTENSIONS), excludePatterns);
+	for (const file of candidates) {
+		const lang = UNSUPPORTED_CODE_EXTENSIONS[path.extname(file).toLowerCase()];
+		if (!lang) continue;
+		unsupportedFiles += 1;
+		counts.set(lang, (counts.get(lang) ?? 0) + 1);
+	}
+	let dominantUnsupported = null;
+	let max = 0;
+	for (const [lang, count] of counts) if (count > max) {
+		max = count;
+		dominantUnsupported = lang;
+	}
+	const negligible = supportedFiles === 0 || unsupportedFiles >= 10 && unsupportedFiles > supportedFiles * 3;
+	return {
+		supportedFiles,
+		unsupportedFiles,
+		dominantUnsupported,
+		scoreable: !negligible
+	};
+};
 const LANGUAGE_SIGNALS = {
 	"tsconfig.json": "typescript",
 	"go.mod": "go",
@@ -7456,11 +7601,12 @@ const checkInstalledTools = async () => {
 	}));
 	return results;
 };
-const discoverProject = async (directory) => {
+const discoverProject = async (directory, excludePatterns = []) => {
 	const resolvedDir = path.resolve(directory);
 	const languages = detectLanguages(resolvedDir);
 	const frameworks = detectFrameworks(resolvedDir);
 	const sourceFileCount = countSourceFiles(resolvedDir);
+	const coverage = analyzeCoverage(resolvedDir, excludePatterns);
 	const installedTools = await checkInstalledTools();
 	return {
 		rootDirectory: resolvedDir,
@@ -7468,6 +7614,7 @@ const discoverProject = async (directory) => {
 		languages,
 		frameworks,
 		sourceFileCount,
+		coverage,
 		installedTools
 	};
 };
@@ -8174,7 +8321,7 @@ const uninstallRulesOnly = (opts, paths) => {
 	else result.skipped.push(paths.rules);
 	if (paths.host && paths.marker) {
 		const host = readIfExists(paths.host);
-		if (host != null && host.includes(paths.marker)) {
+		if (host?.includes(paths.marker)) {
 			const stripped = host.split("\n").filter((l) => l.trim() !== paths.marker).join("\n").replace(/\n{3,}/g, "\n\n").trim();
 			applyRemoval(result, opts, paths.host, stripped.length === 0 ? null : `${stripped}\n`);
 		} else result.skipped.push(paths.host);
@@ -8590,7 +8737,7 @@ const uninstallGemini = (opts) => {
 	if (readIfExists(paths.aislopMd) != null) applyRemoval(result, opts, paths.aislopMd, null);
 	else result.skipped.push(paths.aislopMd);
 	const geminiMd = readIfExists(paths.geminiMd);
-	if (geminiMd != null && geminiMd.includes("@AISLOP.md")) {
+	if (geminiMd?.includes("@AISLOP.md")) {
 		const stripped = geminiMd.split("\n").filter((l) => l.trim() !== "@AISLOP.md").join("\n").replace(/\n{3,}/g, "\n\n").trim();
 		applyRemoval(result, opts, paths.geminiMd, stripped.length === 0 ? null : `${stripped}\n`);
 	} else result.skipped.push(paths.geminiMd);
@@ -8887,6 +9034,7 @@ const theme = createTheme();
 //#endregion
 //#region src/commands/hook.ts
+const HOOK_FLUSH_TIMEOUT_MS = 1500;
 const AGENT_LABELS = {
 	claude: {
 		label: "Claude Code",
@@ -9015,6 +9163,7 @@ const hookRun = async (agent, flags) => {
 		process.stderr.write(`hook: agent "${agent}" has no runtime adapter (rules-file-only)\n`);
 		process.exit(0);
 	}
+	await flushTelemetry(HOOK_FLUSH_TIMEOUT_MS);
 	process.exit(exitCode);
 };
 const hookBaseline = async () => {
@@ -9268,12 +9417,12 @@ const badgeCommand = async (options = {}) => {
 		svgUrl,
 		pageUrl
 	});
-	if (options.json) process.stdout.write(JSON.stringify({
+	if (options.json) process.stdout.write(`${JSON.stringify({
 		owner,
 		repo,
 		svgUrl,
 		pageUrl
-	}) + "\n");
+	})}\n`);
 	else process.stdout.write(output);
 	return {
 		owner,
@@ -9574,7 +9723,7 @@ const renderHeader = (input, _deps = {}) => {
 //#endregion
 //#region src/ui/width.ts
-const ANSI_RE = new RegExp(String.raw`\x1B\[[0-9;]*m`, "g");
+const ANSI_RE = new RegExp(`\\[[0-9;]*m`, "g");
 const stripAnsi = (s) => s.replace(ANSI_RE, "");
 const stringWidth = (s) => {
 	const bare = stripAnsi(s);
@@ -9718,6 +9867,8 @@ var LiveGrid = class {
 const RULE_LABELS = {
 	formatting: "Code not formatted",
 	"code-quality/duplicate-block": "Duplicate code block",
+	"code-quality/repeated-chained-call": "Repeated chained call",
+	"code-quality/unused-declaration": "Unused declaration",
 	"complexity/file-too-large": "File too large",
 	"complexity/function-too-long": "Function too long",
 	"complexity/deep-nesting": "Deeply nested code",
@@ -9730,6 +9881,7 @@ const RULE_LABELS = {
 	"knip/binaries": "Unused binary",
 	"knip/exports": "Unused export",
 	"knip/types": "Unused type",
+	"knip/duplicates": "Duplicate export",
 	"ai-slop/trivial-comment": "Trivial restating comment",
 	"ai-slop/swallowed-exception": "Empty catch (swallowed error)",
 	"ai-slop/silent-recovery": "Catch logs then continues",
@@ -9766,6 +9918,7 @@ const RULE_LABELS = {
 	"ai-slop/hallucinated-import": "Import not in package.json",
 	"security/hardcoded-secret": "Possible hardcoded secret",
 	"security/vulnerable-dependency": "Vulnerable dependency",
+	"security/dependency-audit-skipped": "Dependency audit skipped",
 	"security/eval": "eval() usage",
 	"security/innerhtml": "innerHTML assignment",
 	"security/dangerously-set-innerhtml": "dangerouslySetInnerHTML (XSS risk)",
@@ -9923,6 +10076,36 @@ const readHistory = (directory) => {
 	return records;
 };
+//#endregion
+//#region src/commands/scan-coverage.ts
+const coverageReason = (c) => {
+	if (c.supportedFiles === 0 && c.dominantUnsupported) return `This repository is ${c.dominantUnsupported} (${c.unsupportedFiles} files), which aislop does not analyze. No score — it would not reflect this code.`;
+	if (c.supportedFiles === 0) return "No files in a language aislop analyzes (TypeScript, JavaScript, Python, Go, Rust, Ruby, PHP, Java). Nothing to score.";
+	const lang = c.dominantUnsupported ?? "an unsupported language";
+	const files = `${c.supportedFiles} supported file${c.supportedFiles === 1 ? "" : "s"}`;
+	return `This repository is mostly ${lang} (${c.unsupportedFiles} files); aislop analyzed only ${files}. Score withheld — it would represent a sliver of the codebase.`;
+};
+const renderCoverageNotice = (projectInfo, includeHeader) => {
+	const deps = {
+		theme: createTheme(),
+		symbols: createSymbols({ plain: false })
+	};
+	return `${includeHeader === false ? "" : renderHeader({
+		version: APP_VERSION,
+		command: "scan",
+		context: [
+			projectInfo.projectName,
+			projectInfo.languages[0] ?? "unknown",
+			`${projectInfo.sourceFileCount} files`
+		],
+		brand: true
+	}, deps)}  ${coverageReason(projectInfo.coverage)}\n\n`;
+};
+//#endregion
+//#region src/commands/scan-exit-code.ts
+const computeScanExitCode = (opts) => opts.hasErrors || opts.scoreable && opts.score < opts.failBelow ? 1 : 0;
 //#endregion
 //#region src/commands/scan.ts
 const isMachineOutput = (options) => Boolean(options.json) || Boolean(options.sarif);
@@ -10029,7 +10212,7 @@ const scanCommand = async (directory, config, options) => {
 		else log.error(msg);
 		return { exitCode: 1 };
 	}
-	const projectInfo = await discoverProject(resolvedDir);
+	const projectInfo = await discoverProject(resolvedDir, [...config.exclude, ...readAislopIgnorePatterns(resolvedDir)]);
 	return withCommandLifecycle({
 		command: options.command ?? "scan",
 		config: config.telemetry,
@@ -10042,15 +10225,16 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 	const showHeader = options.showHeader !== false;
 	const machineOutput = isMachineOutput(options);
 	const useLiveProgress = !machineOutput && shouldUseSpinner();
+	const excludePatterns = [...config.exclude, ...readAislopIgnorePatterns(resolvedDir)];
 	let files;
 	if (options.staged) {
-		files = filterProjectFiles(resolvedDir, getStagedFiles(resolvedDir), [], config.exclude);
+		files = filterProjectFiles(resolvedDir, getStagedFiles(resolvedDir), [], excludePatterns);
 		if (!machineOutput) log.muted(`Scope: ${files.length} staged file(s)`);
 	} else if (options.changes) {
-		files = filterProjectFiles(resolvedDir, getChangedFiles(resolvedDir), [], config.exclude);
+		files = filterProjectFiles(resolvedDir, getChangedFiles(resolvedDir), [], excludePatterns);
 		if (!machineOutput) log.muted(`Scope: ${files.length} changed file(s)`);
 	} else {
-		files = filterProjectFiles(resolvedDir, listProjectFiles(resolvedDir), [], config.exclude);
+		files = filterProjectFiles(resolvedDir, listProjectFiles(resolvedDir), [], excludePatterns);
 		if (!machineOutput) log.muted(`Scope: ${files.length} file(s) after exclusions`);
 	}
 	const configDir = findConfigDir(resolvedDir);
@@ -10104,14 +10288,21 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 		if (!machineOutput && !progressRenderer) printEngineStatus(result);
 	});
 	progressRenderer?.stop();
-	const results = rawResults.map((result) => ({
+	const { results, suppressedCount } = applySuppressions(rawResults.map((result) => ({
 		...result,
 		diagnostics: applyRuleSeverities(result.diagnostics, config.rules)
-	}));
+	})), resolvedDir);
+	if (suppressedCount > 0 && !machineOutput) log.muted(`Suppressed ${suppressedCount} finding(s) via aislop-ignore directives`);
 	const allDiagnostics = results.flatMap((r) => r.diagnostics);
 	const elapsedMs = performance.now() - startTime;
 	const scoreResult = calculateScore(allDiagnostics, config.scoring.weights, config.scoring.thresholds, projectInfo.sourceFileCount, config.scoring.smoothing);
-	const exitCode = allDiagnostics.some((d) => d.severity === "error") || scoreResult.score < config.ci.failBelow ? 1 : 0;
+	const scoreable = projectInfo.coverage.scoreable;
+	const exitCode = computeScanExitCode({
+		hasErrors: allDiagnostics.some((d) => d.severity === "error"),
+		scoreable,
+		score: scoreResult.score,
+		failBelow: config.ci.failBelow
+	});
 	const engineIssues = {};
 	const engineTimings = {};
 	for (const r of results) {
@@ -10120,7 +10311,8 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 	}
 	const completion = {
 		exitCode,
-		score: scoreResult.score,
+		score: scoreable ? scoreResult.score : null,
+		scoreable,
 		findingCount: allDiagnostics.length,
 		errorCount: allDiagnostics.filter((d) => d.severity === "error").length,
 		warningCount: allDiagnostics.filter((d) => d.severity === "warning").length,
@@ -10134,11 +10326,18 @@ const runScanBody = async (resolvedDir, config, options, projectInfo) => {
 		return completion;
 	}
 	if (options.json) {
-		const { buildJsonOutput } = await import("./json-OIzja7OM.js");
-		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs);
+		const { buildJsonOutput } = await import("./json-CXV4D0Ib.js");
+		const jsonOut = buildJsonOutput(results, scoreResult, projectInfo.sourceFileCount, elapsedMs, projectInfo.coverage);
 		console.log(JSON.stringify(jsonOut, null, 2));
 		return completion;
 	}
+	if (!scoreable) {
+		if (!machineOutput) {
+			process.stdout.write(renderCoverageNotice(projectInfo, showHeader));
+			if (allDiagnostics.length > 0) process.stdout.write(renderDiagnostics(allDiagnostics, options.verbose ?? false));
+		}
+		return completion;
+	}
 	if (!options.staged && !options.changes && options.command !== "ci" && !isCiEnv()) appendHistory({
 		directory: resolvedDir,
 		score: scoreResult.score,
@@ -10918,7 +11117,7 @@ const ERROR_MESSAGE_PATTERNS = [
 /**
 * Extracts the full text of a console statement spanning multiple lines.
 */
-const getStatementText = (lines, startIndex, span) => {
+const getStatementText = (lines, span) => {
 	const spanLines = [];
 	for (const lineNo of span) spanLines.push(lines[lineNo - 1]);
 	return spanLines.join("\n");
@@ -10930,6 +11129,21 @@ const getStatementText = (lines, startIndex, span) => {
 const shouldUpgradeToError = (statementText) => {
 	return ERROR_MESSAGE_PATTERNS.some((pattern) => pattern.test(statementText));
 };
+const DIAGNOSTIC_PATH_RE = /(?:^|\/)(?:tools|scripts|cli|bin)\/|(?:^|\/)test-[^/]*\.[tj]sx?$|[.-](?:test|spec)\.[tj]sx?$/i;
+const isDiagnosticScriptPath = (filePath) => DIAGNOSTIC_PATH_RE.test(filePath.replace(/\\/g, "/"));
+const firstNonBlank = (lines, from, step, skip) => {
+	for (let i = from; i >= 0 && i < lines.length; i += step) {
+		if (skip.has(i + 1)) continue;
+		if (lines[i].trim() !== "") return lines[i].trim();
+	}
+	return "";
+};
+const wouldEmptyEnclosingBlock = (lines, span, removed) => {
+	const sorted = [...span].sort((a, b) => a - b);
+	const before = firstNonBlank(lines, sorted[0] - 2, -1, removed);
+	const after = firstNonBlank(lines, sorted[sorted.length - 1], 1, removed);
+	return before.endsWith("{") && after.startsWith("}");
+};
 const fixDeadPatterns = async (context) => {
 	const fixable = [...await detectTrivialComments(context), ...await detectDeadPatterns(context)].filter((d) => d.fixable);
 	if (fixable.length === 0) return;
@@ -10943,24 +11157,31 @@ const fixDeadPatterns = async (context) => {
 		});
 		byFile.set(absolute, entries);
 	}
-	for (const [filePath, entries] of byFile) fixFileDeadPatterns(filePath, entries);
+	for (const [filePath, entries] of byFile) fixFileDeadPatterns(filePath, entries, context.rootDirectory);
 };
-const fixFileDeadPatterns = (filePath, entries) => {
+const fixFileDeadPatterns = (filePath, entries, rootDirectory) => {
 	if (!fs.existsSync(filePath)) return;
 	const lines = fs.readFileSync(filePath, "utf-8").split("\n");
 	const linesToRemove = /* @__PURE__ */ new Set();
 	const lineReplacements = /* @__PURE__ */ new Map();
+	const skipConsole = isDiagnosticScriptPath(path.relative(rootDirectory, filePath));
+	const consoleSpans = [];
 	for (const entry of entries) {
 		const index = entry.line - 1;
 		if (index < 0 || index >= lines.length) continue;
 		if (entry.rule === "ai-slop/console-leftover") {
+			if (skipConsole) continue;
 			const span = findStatementSpan(lines, index);
-			if (shouldUpgradeToError(getStatementText(lines, index, span))) {
-				const replaced = lines[index].replace(/console\.(?:log|debug|info|trace|dir|table)\s*\(/, "console.error(");
-				lineReplacements.set(entry.line, replaced);
-			} else for (const lineNo of span) linesToRemove.add(lineNo);
+			if (shouldUpgradeToError(getStatementText(lines, span))) lineReplacements.set(entry.line, lines[index].replace(/console\.(?:log|debug|info|trace|dir|table)\s*\(/, "console.error("));
+			else consoleSpans.push(span);
 		} else linesToRemove.add(entry.line);
 	}
+	const candidateLines = /* @__PURE__ */ new Set();
+	for (const span of consoleSpans) for (const lineNo of span) candidateLines.add(lineNo);
+	for (const span of consoleSpans) {
+		if (wouldEmptyEnclosingBlock(lines, span, candidateLines)) continue;
+		for (const lineNo of span) linesToRemove.add(lineNo);
+	}
 	const result = applyEditsAndCollapse(lines, linesToRemove, lineReplacements);
 	fs.writeFileSync(filePath, result);
 };
@@ -11210,7 +11431,7 @@ const fixUnusedImports = async (context) => {
 			const importSpan = JS_EXTENSIONS$1.has(analysis.ext) ? getJsImportSpan(lines, lineIdx) : [lineIdx];
 			if (allUnused) for (const idx of importSpan) linesToRemove.add(idx);
 			else if (JS_EXTENSIONS$1.has(analysis.ext)) rewriteJsImportSpan(lines, importSpan, syms, unusedNames);
-			else if (PY_EXTENSIONS.has(analysis.ext)) rewritePyImportLine(lines, lineIdx, syms, unusedNames);
+			else if (PY_EXTENSIONS.has(analysis.ext)) rewritePyImportLine(lines, lineIdx, unusedNames);
 		}
 		if (linesToRemove.size === 0 && unused.length === 0) continue;
 		const sortedRemove = [...linesToRemove].sort((a, b) => b - a);
@@ -11274,9 +11495,12 @@ const rewriteJsImportSpan = (lines, span, syms, unusedNames) => {
 	lines[span[0]] = newImport;
 	for (let i = 1; i < span.length; i++) lines[span[i]] = REMOVE_MARKER;
 };
-const rewritePyImportLine = (lines, lineIdx, syms, unusedNames) => {
+const rewritePyImportLine = (lines, lineIdx, unusedNames) => {
 	const fromMatch = lines[lineIdx].match(/^(\s*from\s+[\w.]+\s+import\s+)(.+)$/);
-	if (!fromMatch) return;
+	if (!fromMatch) {
+		rewritePlainPyImportLine(lines, lineIdx, unusedNames);
+		return;
+	}
 	const prefix = fromMatch[1];
 	const importPart = fromMatch[2].replace(/#.*$/, "").trim();
 	const hasParen = importPart.startsWith("(");
@@ -11289,6 +11513,19 @@ const rewritePyImportLine = (lines, lineIdx, syms, unusedNames) => {
 	const joined = keptSpecifiers.join(", ");
 	lines[lineIdx] = hasParen ? `${prefix}(${joined})` : `${prefix}${joined}`;
 };
+const rewritePlainPyImportLine = (lines, lineIdx, unusedNames) => {
+	const match = lines[lineIdx].match(/^(\s*import\s+)(.+)$/);
+	if (!match) return;
+	const prefix = match[1];
+	const specifiers = match[2].replace(/#.*$/, "").split(",").map((s) => s.trim()).filter(Boolean);
+	const kept = specifiers.filter((spec) => {
+		const parts = spec.split(/\s+as\s+/);
+		const localName = parts.length > 1 ? parts[1].trim() : parts[0].trim().split(".")[0];
+		return !unusedNames.has(localName);
+	});
+	if (kept.length === 0 || kept.length === specifiers.length) return;
+	lines[lineIdx] = `${prefix}${kept.join(", ")}`;
+};
 //#endregion
 //#region src/engines/code-quality/unused-removal-ast.ts
@@ -11730,6 +11967,61 @@ const runExpoDoctor = async (context) => {
 	return toDiagnostics(parseIssues(output));
 };
+//#endregion
+//#region src/commands/fix-expo.ts
+const INSTALL_TIMEOUT$1 = 1800 * 1e3;
+const fixExpoDependencies = async (context, onProgress) => {
+	await removeDisallowedExpoPackages(context.rootDirectory, onProgress);
+	onProgress?.("Expo dependency alignment · running expo install --fix (can take a few minutes)");
+	if ((await runSubprocess("npx", [
+		"--yes",
+		"expo",
+		"install",
+		"--fix"
+	], {
+		cwd: context.rootDirectory,
+		timeout: INSTALL_TIMEOUT$1
+	})).exitCode === 0) return;
+	onProgress?.("Expo dependency alignment · checking remaining issues");
+	const checkResult = await runSubprocess("npx", [
+		"--yes",
+		"expo",
+		"install",
+		"--check"
+	], {
+		cwd: context.rootDirectory,
+		timeout: INSTALL_TIMEOUT$1
+	});
+	if (checkResult.exitCode !== 0) throw new Error(checkResult.stderr || checkResult.stdout || "expo dependency check failed");
+};
+/**
+* Run expo-doctor to detect packages that should not be installed directly,
+* then uninstall them. No hardcoded list — expo-doctor is the source of truth.
+*/
+const removeDisallowedExpoPackages = async (rootDir, onProgress) => {
+	try {
+		onProgress?.("Expo dependency alignment · running expo-doctor");
+		const result = await runSubprocess("npx", [
+			"--yes",
+			"expo-doctor",
+			rootDir
+		], {
+			cwd: rootDir,
+			timeout: INSTALL_TIMEOUT$1
+		});
+		const output = [result.stdout, result.stderr].filter(Boolean).join("\n");
+		const packagePattern = /The package "([^"]+)" should not be installed directly/g;
+		const toRemove = [];
+		for (const match of output.matchAll(packagePattern)) toRemove.push(match[1]);
+		if (toRemove.length === 0) return;
+		onProgress?.(`Expo dependency alignment · uninstalling ${toRemove.length} package(s)`);
+		await runSubprocess("npm", ["uninstall", ...toRemove], {
+			cwd: rootDir,
+			timeout: INSTALL_TIMEOUT$1
+		});
+	} catch {}
+};
 //#endregion
 //#region src/commands/fix-force.ts
 const INSTALL_TIMEOUT = 1800 * 1e3;
@@ -11867,7 +12159,9 @@ const tryNpmOverrides = async (rootDir, onProgress) => {
 		if (!auditResult.stdout) return;
 		const vulnerabilities = JSON.parse(auditResult.stdout).vulnerabilities;
 		if (!vulnerabilities) return;
-		const overrides = await collectOverrides(rootDir, vulnerabilities, "npm");
+		const rawOverrides = await collectOverrides(rootDir, vulnerabilities, "npm");
+		if (Object.keys(rawOverrides).length === 0) return;
+		const overrides = guardAndReport(rootDir, rawOverrides, onProgress);
 		if (Object.keys(overrides).length === 0) return;
 		const pkgPath = path.join(rootDir, "package.json");
 		const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
@@ -11903,6 +12197,76 @@ const collectPnpmOverrides = (advisories) => {
 	}
 	return overrides;
 };
+const overrideName = (key) => {
+	const at = key.lastIndexOf("@");
+	return at > 0 ? key.slice(0, at) : key;
+};
+const guardOverrides = (overrides, installed) => {
+	const safe = {};
+	const skipped = [];
+	for (const [key, target] of Object.entries(overrides)) {
+		const current = installed.get(overrideName(key));
+		if (current && isDowngrade(current, target)) {
+			skipped.push(`${overrideName(key)} ${current} → ${target}`);
+			continue;
+		}
+		safe[key] = target;
+	}
+	return {
+		safe,
+		skipped
+	};
+};
+const readRootNodeModulesVersion = (rootDir, name) => {
+	try {
+		const manifest = path.join(rootDir, "node_modules", name, "package.json");
+		const version = JSON.parse(fs.readFileSync(manifest, "utf-8")).version;
+		return typeof version === "string" ? version : null;
+	} catch {
+		return null;
+	}
+};
+const PNPM_STORE_VERSION_RE = /^(\d+\.\d+\.\d+[^_(]*)/;
+const isHigherVersion = (candidate, current) => {
+	if (!current) return true;
+	const a = parseSemverMin(candidate);
+	const b = parseSemverMin(current);
+	if (!a || !b) return false;
+	for (let i = 0; i < 3; i++) {
+		if ((a[i] ?? 0) > (b[i] ?? 0)) return true;
+		if ((a[i] ?? 0) < (b[i] ?? 0)) return false;
+	}
+	return false;
+};
+const readPnpmStoreVersion = (rootDir, name) => {
+	let entries;
+	try {
+		entries = fs.readdirSync(path.join(rootDir, "node_modules", ".pnpm"));
+	} catch {
+		return null;
+	}
+	const prefix = `${name.replace(/\//g, "+")}@`;
+	let best = null;
+	for (const entry of entries) {
+		if (!entry.startsWith(prefix)) continue;
+		const match = PNPM_STORE_VERSION_RE.exec(entry.slice(prefix.length));
+		if (match && isHigherVersion(match[1], best)) best = match[1];
+	}
+	return best;
+};
+const readInstalledVersions = (rootDir, names) => {
+	const map = /* @__PURE__ */ new Map();
+	for (const name of names) {
+		const version = readRootNodeModulesVersion(rootDir, name) ?? readPnpmStoreVersion(rootDir, name);
+		if (version) map.set(name, version);
+	}
+	return map;
+};
+const guardAndReport = (rootDir, rawOverrides, onProgress) => {
+	const { safe, skipped } = guardOverrides(rawOverrides, readInstalledVersions(rootDir, Object.keys(rawOverrides).map(overrideName)));
+	if (skipped.length > 0) onProgress?.(`Dependency audit fixes · skipped ${skipped.length} downgrade(s), verify intent: ${skipped.join(", ")}`);
+	return safe;
+};
 const isPnpmAuditRetired = (stdout, stderr) => {
 	const haystack = `${stdout}\n${stderr}`.toLowerCase();
 	return haystack.includes("410") || haystack.includes("gone") || haystack.includes("retired") || haystack.includes("endpoint") || haystack.includes("err_pnpm_audit") || haystack.includes("audit endpoint");
@@ -11926,7 +12290,9 @@ const tryPnpmOverrides = async (rootDir, onProgress) => {
 	}
 	const advisories = parsed.advisories;
 	if (!advisories || Object.keys(advisories).length === 0) return true;
-	const overrides = collectPnpmOverrides(advisories);
+	const rawOverrides = collectPnpmOverrides(advisories);
+	if (Object.keys(rawOverrides).length === 0) return true;
+	const overrides = guardAndReport(rootDir, rawOverrides, onProgress);
 	if (Object.keys(overrides).length === 0) return true;
 	const pkgPath = path.join(rootDir, "package.json");
 	const pkg = JSON.parse(fs.readFileSync(pkgPath, "utf-8"));
@@ -11947,58 +12313,6 @@ const tryPnpmOverrides = async (rootDir, onProgress) => {
 	});
 	return true;
 };
-const fixExpoDependencies = async (context, onProgress) => {
-	await removeDisallowedExpoPackages(context.rootDirectory, onProgress);
-	onProgress?.("Expo dependency alignment · running expo install --fix (can take a few minutes)");
-	if ((await runSubprocess("npx", [
-		"--yes",
-		"expo",
-		"install",
-		"--fix"
-	], {
-		cwd: context.rootDirectory,
-		timeout: INSTALL_TIMEOUT
-	})).exitCode === 0) return;
-	onProgress?.("Expo dependency alignment · checking remaining issues");
-	const checkResult = await runSubprocess("npx", [
-		"--yes",
-		"expo",
-		"install",
-		"--check"
-	], {
-		cwd: context.rootDirectory,
-		timeout: INSTALL_TIMEOUT
-	});
-	if (checkResult.exitCode !== 0) throw new Error(checkResult.stderr || checkResult.stdout || "expo dependency check failed");
-};
-/**
-* Run expo-doctor to detect packages that should not be installed directly,
-* then uninstall them. No hardcoded list — expo-doctor is the source of truth.
-*/
-const removeDisallowedExpoPackages = async (rootDir, onProgress) => {
-	try {
-		onProgress?.("Expo dependency alignment · running expo-doctor");
-		const result = await runSubprocess("npx", [
-			"--yes",
-			"expo-doctor",
-			rootDir
-		], {
-			cwd: rootDir,
-			timeout: INSTALL_TIMEOUT
-		});
-		const output = [result.stdout, result.stderr].filter(Boolean).join("\n");
-		const packagePattern = /The package "([^"]+)" should not be installed directly/g;
-		const toRemove = [];
-		let match;
-		while ((match = packagePattern.exec(output)) !== null) toRemove.push(match[1]);
-		if (toRemove.length === 0) return;
-		onProgress?.(`Expo dependency alignment · uninstalling ${toRemove.length} package(s)`);
-		await runSubprocess("npm", ["uninstall", ...toRemove], {
-			cwd: rootDir,
-			timeout: INSTALL_TIMEOUT
-		});
-	} catch {}
-};
 //#endregion
 //#region src/commands/fix-pipeline.ts
@@ -12007,6 +12321,10 @@ const runAiSlopSteps = async (deps) => {
 	if (!deps.config.engines["ai-slop"]) return;
 	await deps.runStep("Unused imports", () => detectUnusedImports(deps.context), () => fixUnusedImports(deps.context));
 	await deps.runStep("Duplicate imports", () => detectDuplicateImports(deps.context), () => fixDuplicateImports(deps.context));
+	if (deps.safe) {
+		await deps.runStep("Narrative comments", async () => (await detectNarrativeComments(deps.context)).filter((d) => d.fixable), () => fixNarrativeComments(deps.context));
+		return;
+	}
 	const detectFixableSlop = async () => {
 		const [comments, dead, narrative] = await Promise.all([
 			detectTrivialComments(deps.context),
@@ -12157,19 +12475,23 @@ const runFixBody = async (resolvedDir, config, options, projectInfo) => {
 		});
 		return result;
 	};
+	const safe = Boolean(options.safe);
 	const pipelineDeps = {
 		rail,
 		context,
 		config,
 		resolvedDir,
 		projectInfo,
-		force: Boolean(options.force),
+		force: safe ? false : Boolean(options.force),
+		safe,
 		runStep
 	};
 	await runAiSlopSteps(pipelineDeps);
-	await runDeclarationStep(pipelineDeps);
-	await runLintSteps(pipelineDeps);
-	await runDependencyStep(pipelineDeps);
+	if (!safe) {
+		await runDeclarationStep(pipelineDeps);
+		await runLintSteps(pipelineDeps);
+		await runDependencyStep(pipelineDeps);
+	}
 	await runFormattingStep(pipelineDeps);
 	await runForceSteps(pipelineDeps);
 	const totalResolved = steps.reduce((sum, s) => sum + s.resolvedIssues, 0);
@@ -12517,6 +12839,7 @@ const AI_SLOP_FIXABLE = new Set([
 	"ai-slop/duplicate-import"
 ]);
 const AI_SLOP_ERRORS = new Set(["ai-slop/hallucinated-import"]);
+const SECURITY_INFO = new Set(["security/dependency-audit-skipped"]);
 const BUILTIN_RULES = [
 	{
 		engine: "format",
@@ -12552,6 +12875,10 @@ const BUILTIN_RULES = [
 			"knip/binaries",
 			"knip/exports",
 			"knip/types",
+			"knip/duplicates",
+			"code-quality/duplicate-block",
+			"code-quality/repeated-chained-call",
+			"code-quality/unused-declaration",
 			"complexity/file-too-large",
 			"complexity/function-too-long",
 			"complexity/deep-nesting",
@@ -12604,8 +12931,10 @@ const BUILTIN_RULES = [
 			"security/vulnerable-dependency",
 			"security/eval",
 			"security/innerhtml",
+			"security/dangerously-set-innerhtml",
 			"security/sql-injection",
-			"security/shell-injection"
+			"security/shell-injection",
+			"security/dependency-audit-skipped"
 		]
 	}
 ];
@@ -12619,7 +12948,7 @@ const toRuleEntry = (engine, ruleId) => {
 	if (engine === "security") return {
 		id: ruleId,
 		engine,
-		severity: "error",
+		severity: SECURITY_INFO.has(ruleId) ? "info" : "error",
 		fixable: false
 	};
 	if (engine === "ai-slop") return {
@@ -13063,13 +13392,14 @@ const FIX_AGENT_FLAGS = [
 const matchFixAgent = (flags) => {
 	return FIX_AGENT_FLAGS.find((a) => flags[a.name])?.flag;
 };
-const fixProgram = program.command("fix [directory]").description("Auto-fix ai slop in codebase").option("-d, --verbose", "show detailed fix progress").option("-f, --force", "run aggressive fixes (audit and framework dependency alignment)").option("-p, --prompt", "print a prompt for your coding agent to fix remaining issues");
+const fixProgram = program.command("fix [directory]").description("Auto-fix ai slop in codebase").option("-d, --verbose", "show detailed fix progress").option("-f, --force", "run aggressive fixes (audit and framework dependency alignment)").option("--safe", "only apply reversible fixes (imports, comment removal, formatting); skip anything that deletes code or rewrites behaviour").option("-p, --prompt", "print a prompt for your coding agent to fix remaining issues");
 for (const a of FIX_AGENT_FLAGS) fixProgram.option(`--${a.flag}`, a.help);
 fixProgram.action(async (directory = ".", _flags, command) => {
 	const flags = command.optsWithGlobals();
 	await fixCommand(directory, loadConfig(directory), {
 		verbose: Boolean(flags.verbose),
 		force: Boolean(flags.force),
+		safe: Boolean(flags.safe),
 		prompt: Boolean(flags.prompt),
 		agent: matchFixAgent(flags)
 	});