aislop 0.10.1 → 0.11.0

package/dist/mcp.js

@@ -59,7 +59,8 @@ const DEFAULT_CONFIG = {
 			good: 75,
 			ok: 50
 		},
-		smoothing: 20
+		smoothing: 20,
+		maxPerRule: 40
 	},
 	ci: {
 		failBelow: 70,
@@ -150,7 +151,8 @@ const ScoringSchema = z$1.object({
 		good: 75,
 		ok: 50
 	})),
-	smoothing: z$1.number().nonnegative().default(20)
+	smoothing: z$1.number().nonnegative().default(20),
+	maxPerRule: z$1.number().positive().default(40)
 });
 const CiSchema = z$1.object({
 	failBelow: z$1.number().default(70),
@@ -190,7 +192,8 @@ const AislopConfigSchema = z$1.object({
 			good: 75,
 			ok: 50
 		},
-		smoothing: 20
+		smoothing: 20,
+		maxPerRule: 40
 	})),
 	ci: CiSchema.default(() => ({
 		failBelow: 70,
@@ -263,218 +266,6 @@ const loadConfig = (directory) => {
 	}
 };
 
-//#endregion
-//#region src/utils/source-masker.ts
-const JS_EXTS$2 = new Set([
-	".ts",
-	".tsx",
-	".js",
-	".jsx",
-	".mjs",
-	".cjs"
-]);
-const PY_EXTS = new Set([".py"]);
-const RB_EXTS = new Set([".rb"]);
-const PHP_EXTS = new Set([".php"]);
-const familyForExt = (ext) => {
-	if (JS_EXTS$2.has(ext)) return "js";
-	if (PY_EXTS.has(ext)) return "py";
-	if (RB_EXTS.has(ext)) return "rb";
-	if (PHP_EXTS.has(ext)) return "php";
-	return "none";
-};
-const maskStringsAndComments = (content, ext) => {
-	const family = familyForExt(ext);
-	if (family === "none") return content;
-	if (family === "js") return maskJs(content, true);
-	return maskSimple(content, family, true);
-};
-const maskComments = (content, ext) => {
-	const family = familyForExt(ext);
-	if (family === "none") return content;
-	if (family === "js") return maskJs(content, false);
-	return maskSimple(content, family, false);
-};
-const handleQuotesAndComments = (content, i, tplStack, mask, maskStrings) => {
-	const len = content.length;
-	const c = content[i];
-	const next = content[i + 1];
-	if (c === "\"" || c === "'") {
-		const strStart = i;
-		const end = consumeQuotedString(content, i, c);
-		if (maskStrings) mask(strStart + 1, end - 1);
-		return {
-			handled: true,
-			nextI: end
-		};
-	}
-	if (c === "`") {
-		const scan = consumeTemplateString(content, i + 1);
-		if (maskStrings) mask(i + 1, scan.maskEnd);
-		if (scan.openedInterp) tplStack.push(0);
-		return {
-			handled: true,
-			nextI: scan.resumeAt
-		};
-	}
-	if (c === "/" && next === "/") {
-		const strStart = i;
-		let k = i;
-		while (k < len && content[k] !== "\n") k++;
-		mask(strStart, k);
-		return {
-			handled: true,
-			nextI: k
-		};
-	}
-	if (c === "/" && next === "*") {
-		const strStart = i;
-		let k = i + 2;
-		while (k < len - 1 && !(content[k] === "*" && content[k + 1] === "/")) k++;
-		if (k < len - 1) k += 2;
-		mask(strStart, k);
-		return {
-			handled: true,
-			nextI: k
-		};
-	}
-	return {
-		handled: false,
-		nextI: i
-	};
-};
-const maskJs = (content, maskStrings) => {
-	const out = content.split("");
-	const len = content.length;
-	const tplStack = [];
-	let i = 0;
-	const mask = (start, end) => {
-		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
-	};
-	while (i < len) {
-		const c = content[i];
-		if (tplStack.length > 0) {
-			if (c === "{") {
-				tplStack[tplStack.length - 1]++;
-				i++;
-				continue;
-			}
-			if (c === "}") {
-				if (tplStack[tplStack.length - 1] === 0) {
-					tplStack.pop();
-					const scan = consumeTemplateString(content, i + 1);
-					if (maskStrings) mask(i + 1, scan.maskEnd);
-					if (scan.openedInterp) tplStack.push(0);
-					i = scan.resumeAt;
-					continue;
-				}
-				tplStack[tplStack.length - 1]--;
-				i++;
-				continue;
-			}
-		}
-		const handled = handleQuotesAndComments(content, i, tplStack, mask, maskStrings);
-		if (handled.handled) {
-			i = handled.nextI;
-			continue;
-		}
-		i++;
-	}
-	return out.join("");
-};
-const consumeQuotedString = (content, start, quote) => {
-	const len = content.length;
-	let i = start + 1;
-	while (i < len) {
-		const c = content[i];
-		if (c === "\\" && i + 1 < len) {
-			i += 2;
-			continue;
-		}
-		if (c === quote) return i + 1;
-		if (c === "\n") return i;
-		i++;
-	}
-	return i;
-};
-const consumeTemplateString = (content, start) => {
-	const len = content.length;
-	let i = start;
-	while (i < len) {
-		const c = content[i];
-		if (c === "\\" && i + 1 < len) {
-			i += 2;
-			continue;
-		}
-		if (c === "`") return {
-			maskEnd: i,
-			resumeAt: i + 1,
-			openedInterp: false
-		};
-		if (c === "$" && content[i + 1] === "{") return {
-			maskEnd: i,
-			resumeAt: i + 2,
-			openedInterp: true
-		};
-		i++;
-	}
-	return {
-		maskEnd: i,
-		resumeAt: i,
-		openedInterp: false
-	};
-};
-const maskSimple = (content, family, maskStrings) => {
-	const out = content.split("");
-	const len = content.length;
-	let i = 0;
-	const mask = (start, end) => {
-		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
-	};
-	while (i < len) {
-		const c = content[i];
-		const next = content[i + 1];
-		if (family === "py" && (c === "\"" || c === "'")) {
-			if (content[i + 1] === c && content[i + 2] === c) {
-				const triple = c + c + c;
-				const end = content.indexOf(triple, i + 3);
-				const stop = end === -1 ? len : end + 3;
-				if (maskStrings) mask(i + 3, stop - 3);
-				i = stop;
-				continue;
-			}
-		}
-		if (c === "\"" || c === "'") {
-			const strStart = i;
-			i = consumeQuotedString(content, i, c);
-			if (maskStrings) mask(strStart + 1, i - 1);
-			continue;
-		}
-		if ((family === "py" || family === "rb" || family === "php") && c === "#") {
-			const strStart = i;
-			while (i < len && content[i] !== "\n") i++;
-			mask(strStart, i);
-			continue;
-		}
-		if (family === "php" && c === "/" && next === "/") {
-			const strStart = i;
-			while (i < len && content[i] !== "\n") i++;
-			mask(strStart, i);
-			continue;
-		}
-		if (family === "php" && c === "/" && next === "*") {
-			const strStart = i;
-			i += 2;
-			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
-			if (i < len - 1) i += 2;
-			mask(strStart, i);
-			continue;
-		}
-		i++;
-	}
-	return out.join("");
-};
-
 //#endregion
 //#region src/utils/source-files.ts
 const MAX_BUFFER = 50 * 1024 * 1024;
@@ -713,14 +504,226 @@ const isAutoGenerated = (filePath) => {
 		} catch {}
 	}
 };
-const getSourceFilesForRoot = (rootDirectory) => filterProjectFiles(rootDirectory, listProjectFiles(rootDirectory));
-const getSourceFiles = (context) => {
-	if (context.files) return filterExplicitFiles(context.rootDirectory, context.files);
-	return getSourceFilesForRoot(context.rootDirectory);
-};
-const getSourceFilesWithExtras = (context, extraExtensions) => {
-	if (context.files) return filterExplicitFiles(context.rootDirectory, context.files, extraExtensions);
-	return filterProjectFiles(context.rootDirectory, listProjectFiles(context.rootDirectory), extraExtensions);
+const getSourceFilesForRoot = (rootDirectory) => filterProjectFiles(rootDirectory, listProjectFiles(rootDirectory));
+const getSourceFiles = (context) => {
+	if (context.files) return filterExplicitFiles(context.rootDirectory, context.files);
+	return getSourceFilesForRoot(context.rootDirectory);
+};
+const getSourceFilesWithExtras = (context, extraExtensions) => {
+	if (context.files) return filterExplicitFiles(context.rootDirectory, context.files, extraExtensions);
+	return filterProjectFiles(context.rootDirectory, listProjectFiles(context.rootDirectory), extraExtensions);
+};
+
+//#endregion
+//#region src/utils/source-masker.ts
+const JS_EXTS$2 = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs"
+]);
+const PY_EXTS = new Set([".py"]);
+const RB_EXTS = new Set([".rb"]);
+const PHP_EXTS = new Set([".php"]);
+const familyForExt = (ext) => {
+	if (JS_EXTS$2.has(ext)) return "js";
+	if (PY_EXTS.has(ext)) return "py";
+	if (RB_EXTS.has(ext)) return "rb";
+	if (PHP_EXTS.has(ext)) return "php";
+	return "none";
+};
+const maskStringsAndComments = (content, ext) => {
+	const family = familyForExt(ext);
+	if (family === "none") return content;
+	if (family === "js") return maskJs(content, true);
+	return maskSimple(content, family, true);
+};
+const maskComments = (content, ext) => {
+	const family = familyForExt(ext);
+	if (family === "none") return content;
+	if (family === "js") return maskJs(content, false);
+	return maskSimple(content, family, false);
+};
+const handleQuotesAndComments = (content, i, tplStack, mask, maskStrings) => {
+	const len = content.length;
+	const c = content[i];
+	const next = content[i + 1];
+	if (c === "\"" || c === "'") {
+		const strStart = i;
+		const end = consumeQuotedString(content, i, c);
+		if (maskStrings) mask(strStart + 1, end - 1);
+		return {
+			handled: true,
+			nextI: end
+		};
+	}
+	if (c === "`") {
+		const scan = consumeTemplateString(content, i + 1);
+		if (maskStrings) mask(i + 1, scan.maskEnd);
+		if (scan.openedInterp) tplStack.push(0);
+		return {
+			handled: true,
+			nextI: scan.resumeAt
+		};
+	}
+	if (c === "/" && next === "/") {
+		const strStart = i;
+		let k = i;
+		while (k < len && content[k] !== "\n") k++;
+		mask(strStart, k);
+		return {
+			handled: true,
+			nextI: k
+		};
+	}
+	if (c === "/" && next === "*") {
+		const strStart = i;
+		let k = i + 2;
+		while (k < len - 1 && !(content[k] === "*" && content[k + 1] === "/")) k++;
+		if (k < len - 1) k += 2;
+		mask(strStart, k);
+		return {
+			handled: true,
+			nextI: k
+		};
+	}
+	return {
+		handled: false,
+		nextI: i
+	};
+};
+const maskJs = (content, maskStrings) => {
+	const out = content.split("");
+	const len = content.length;
+	const tplStack = [];
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		if (tplStack.length > 0) {
+			if (c === "{") {
+				tplStack[tplStack.length - 1]++;
+				i++;
+				continue;
+			}
+			if (c === "}") {
+				if (tplStack[tplStack.length - 1] === 0) {
+					tplStack.pop();
+					const scan = consumeTemplateString(content, i + 1);
+					if (maskStrings) mask(i + 1, scan.maskEnd);
+					if (scan.openedInterp) tplStack.push(0);
+					i = scan.resumeAt;
+					continue;
+				}
+				tplStack[tplStack.length - 1]--;
+				i++;
+				continue;
+			}
+		}
+		const handled = handleQuotesAndComments(content, i, tplStack, mask, maskStrings);
+		if (handled.handled) {
+			i = handled.nextI;
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
+};
+const consumeQuotedString = (content, start, quote) => {
+	const len = content.length;
+	let i = start + 1;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === quote) return i + 1;
+		if (c === "\n") return i;
+		i++;
+	}
+	return i;
+};
+const consumeTemplateString = (content, start) => {
+	const len = content.length;
+	let i = start;
+	while (i < len) {
+		const c = content[i];
+		if (c === "\\" && i + 1 < len) {
+			i += 2;
+			continue;
+		}
+		if (c === "`") return {
+			maskEnd: i,
+			resumeAt: i + 1,
+			openedInterp: false
+		};
+		if (c === "$" && content[i + 1] === "{") return {
+			maskEnd: i,
+			resumeAt: i + 2,
+			openedInterp: true
+		};
+		i++;
+	}
+	return {
+		maskEnd: i,
+		resumeAt: i,
+		openedInterp: false
+	};
+};
+const maskSimple = (content, family, maskStrings) => {
+	const out = content.split("");
+	const len = content.length;
+	let i = 0;
+	const mask = (start, end) => {
+		for (let k = start; k < end; k++) if (out[k] !== "\n") out[k] = " ";
+	};
+	while (i < len) {
+		const c = content[i];
+		const next = content[i + 1];
+		if (family === "py" && (c === "\"" || c === "'")) {
+			if (content[i + 1] === c && content[i + 2] === c) {
+				const triple = c + c + c;
+				const end = content.indexOf(triple, i + 3);
+				const stop = end === -1 ? len : end + 3;
+				if (maskStrings) mask(i + 3, stop - 3);
+				i = stop;
+				continue;
+			}
+		}
+		if (c === "\"" || c === "'") {
+			const strStart = i;
+			i = consumeQuotedString(content, i, c);
+			if (maskStrings) mask(strStart + 1, i - 1);
+			continue;
+		}
+		if ((family === "py" || family === "rb" || family === "php") && c === "#") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "/") {
+			const strStart = i;
+			while (i < len && content[i] !== "\n") i++;
+			mask(strStart, i);
+			continue;
+		}
+		if (family === "php" && c === "/" && next === "*") {
+			const strStart = i;
+			i += 2;
+			while (i < len - 1 && !(content[i] === "*" && content[i + 1] === "/")) i++;
+			if (i < len - 1) i += 2;
+			mask(strStart, i);
+			continue;
+		}
+		i++;
+	}
+	return out.join("");
 };
 
 //#endregion
@@ -768,16 +771,14 @@ const detectThinWrappers = (content, relativePath, ext) => {
 	for (const { pattern, extensions } of THIN_WRAPPER_PATTERNS) {
 		if (!extensions.has(ext)) continue;
 		const regex = new RegExp(pattern.source, pattern.flags);
-		let match;
-		while ((match = regex.exec(content)) !== null) {
+		for (const match of content.matchAll(regex)) {
 			const funcName = match[1];
 			const matchText = match[0];
 			const lineNumber = content.slice(0, match.index).split("\n").length;
 			if (DUNDER_PATTERN.test(funcName)) continue;
 			if (FRAMEWORK_METHOD_NAMES.test(funcName)) continue;
 			if (lineNumber >= 2) {
-				const prevLine = lines[lineNumber - 2]?.trim();
-				if (prevLine && prevLine.startsWith("@")) continue;
+				if ((lines[lineNumber - 2]?.trim())?.startsWith("@")) continue;
 			}
 			if (!isIdentityForward(matchText)) continue;
 			if (isUseContextWrapper(matchText)) continue;
@@ -961,8 +962,8 @@ const PHP_DECL_START = /^\s*(?:(?:public|private|protected|static|final|abstract
 
 //#endregion
 //#region src/engines/ai-slop/non-production-paths.ts
-const DIR_PATTERN = /(?:^|\/)(?:scripts|bin|examples?|demos?|docs?|bench|benches|benchmarks?|fixtures?|__fixtures__|__mocks__|__tests__|vendor|_vendor|vendored|third_party|blib2to3|lib2to3|cli|cli-[\w-]+|[\w-]+-cli)\//i;
-const BASENAME_PATTERN = /(?:^|\/)(?:benchmark|bench|demo|example|script|seed|migrate|profile|smoke|stress|load|debug|repro)[-_.][^/]*\.[mc]?[jt]sx?$|(?:^|\/)[^/]+[-_](?:benchmark|bench|demo|example)\.[mc]?[jt]sx?$/i;
+const DIR_PATTERN = /(?:^|\/)(?:scripts|bin|examples?|demos?|docs?|bench|benches|benchmarks?|fixtures?|__fixtures__|__mocks__|__tests__|prototypes?|experiments?|vendor|_vendor|vendored|third_party|blib2to3|lib2to3|cli|cli-[\w-]+|[\w-]+-cli)\//i;
+const BASENAME_PATTERN = /(?:^|\/)(?:(?:prototype|experiment)(?:[-_.][^/]*)?|(?:benchmark|bench|demo|example|script|seed|migrate|profile|smoke|stress|load|debug|repro)[-_.][^/]*)\.[mc]?[jt]sx?$|(?:^|\/)[^/]+[-_](?:benchmark|bench|demo|example|prototype|experiment)\.[mc]?[jt]sx?$/i;
 const isNonProductionPath = (relativePath) => DIR_PATTERN.test(relativePath) || BASENAME_PATTERN.test(relativePath);
 
 //#endregion
@@ -1078,7 +1079,7 @@ const JS_EXTENSIONS$3 = new Set([
 	".mjs",
 	".cjs"
 ]);
-const CONSOLE_LOG_PATTERN = /\bconsole\.(?:log|debug|info|trace|dir|table)\s*\(/;
+const CONSOLE_CALL_PATTERN = /\bconsole\.(log|debug|info|trace|dir|table)\s*\(/;
 const slop = (filePath, line, rule, severity, message, help, fixable) => ({
 	filePath,
 	engine: "ai-slop",
@@ -1092,20 +1093,35 @@ const slop = (filePath, line, rule, severity, message, help, fixable) => ({
 	fixable
 });
 const LOGGER_FILE_PATTERN = /(?:^|\/)(?:logger|logging|log)\.[^/]+$/i;
+const CLI_ENTRYPOINT_PATTERN = /(?:^|\/)(?:cli|cli[-_.][^/]*|[^/]+[-_]cli)\.[mc]?[jt]sx?$/i;
+const ENTRYPOINT_GUARD_PATTERN = /\b(?:import\.meta\.main|require\.main\s*===\s*module)\b/;
+const OPERATIONAL_LOG_PATTERN = /\bconsole\.(?:log|info)\s*\(\s*(?:`|["'])\s*\[[^\]\n]{1,48}\]/;
+const DEBUG_SIGNAL_PATTERN = /\b(?:debug|dbg|trace|dump|inspect|todo|tmp|temp|remove\s+me|leftover|here|checkpoint)\b/i;
+const shouldFlagConsoleCall = (trimmed) => {
+	const match = CONSOLE_CALL_PATTERN.exec(trimmed);
+	if (!match) return false;
+	const method = match[1];
+	if (method === "trace" || method === "dir" || method === "table") return true;
+	if (method === "debug") return DEBUG_SIGNAL_PATTERN.test(trimmed) || !OPERATIONAL_LOG_PATTERN.test(trimmed);
+	if (method === "info" || method === "log") {
+		if (/console\.log\(\s*JSON\.stringify\b/.test(trimmed)) return false;
+		if (OPERATIONAL_LOG_PATTERN.test(trimmed)) return false;
+		return true;
+	}
+	return false;
+};
 const detectConsoleLeftovers = (content, relativePath, ext) => {
 	if (!JS_EXTENSIONS$3.has(ext)) return [];
 	if (LOGGER_FILE_PATTERN.test(relativePath)) return [];
-	if (isNonProductionPath(relativePath)) return [];
+	if (isNonProductionPath(relativePath) || CLI_ENTRYPOINT_PATTERN.test(relativePath)) return [];
+	if (content.startsWith("#!")) return [];
+	if (ENTRYPOINT_GUARD_PATTERN.test(content)) return [];
 	const diagnostics = [];
 	const lines = content.split("\n");
 	for (let i = 0; i < lines.length; i++) {
 		const trimmed = lines[i].trim();
 		if (trimmed.startsWith("//") || trimmed.startsWith("*")) continue;
-		if (CONSOLE_LOG_PATTERN.test(trimmed)) {
-			if (/console\.(?:error|warn)\s*\(/.test(trimmed)) continue;
-			if (/console\.log\(\s*JSON\.stringify\b/.test(trimmed)) continue;
-			diagnostics.push(slop(relativePath, i + 1, "ai-slop/console-leftover", "warning", "console.log/debug/info statement left in production code", "Remove debugging console statements or replace with a proper logger", true));
-		}
+		if (shouldFlagConsoleCall(trimmed)) diagnostics.push(slop(relativePath, i + 1, "ai-slop/console-leftover", "warning", "console.log/debug/info statement left in production code", "Remove debugging console statements or replace with a proper logger", true));
 	}
 	return diagnostics;
 };
@@ -1133,6 +1149,7 @@ const isGuardedSingleLineExit = (lines, lineIndex) => {
 	const control = contextLines.join(" ");
 	return /(?:^|[}\s])(?:if|else\s+if|for|while)\s*\(/.test(control) && !/{\s*$/.test(control);
 };
+const isPropertyNoopAssignment = (trimmed) => /^(?:[\w$]+\.)+[\w$]+\s*=\s*(?:function\s*)?\([^)]*\)\s*(?:=>)?\s*\{\s*\}\s*;?$/.test(trimmed);
 const detectTodoStubs = (content, relativePath) => {
 	const diagnostics = [];
 	const lines = content.split("\n");
@@ -1154,7 +1171,7 @@ const detectDeadCodePatterns = (content, relativePath, ext) => {
 		const nextLine = i + 1 < lines.length ? lines[i + 1]?.trim() : void 0;
 		if (JS_EXTENSIONS$3.has(ext) && /^(?:return|throw)\b/.test(trimmed) && trimmed.endsWith(";") && nextLine && nextLine.length > 0 && !isGuardedSingleLineExit(lines, i) && !isBlockCloserAfterReturn(nextLine) && !nextLine.startsWith("//") && !nextLine.startsWith("/*") && !nextLine.startsWith("case ") && !nextLine.startsWith("default:") && !nextLine.startsWith("if ") && !nextLine.startsWith("if(") && !nextLine.startsWith("else")) diagnostics.push(slop(relativePath, i + 2, "ai-slop/unreachable-code", "warning", "Code after return/throw statement is unreachable", "Remove the unreachable code or restructure the control flow", false));
 		if (/\bif\s*\(\s*(?:false|true|0|1)\s*\)/.test(trimmed) && !trimmed.startsWith("//") && !trimmed.startsWith("*") && !/["'`].*\bif\s*\(/.test(trimmed) && !/\/.*\bif\s*\(/.test(trimmed.replace(/\/\/.*$/, ""))) diagnostics.push(slop(relativePath, i + 1, "ai-slop/constant-condition", "warning", "Conditional with a constant value — likely debugging leftover", "Remove the constant condition or replace with proper logic", false));
-		if (JS_EXTENSIONS$3.has(ext) && /(?:function\s+\w+|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ")) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
+		if (JS_EXTENSIONS$3.has(ext) && /(?:function\s+\w+\s*\([^)]*\)|=>\s*)\s*\{\s*\}\s*;?\s*$/.test(trimmed) && !trimmed.startsWith("interface") && !trimmed.startsWith("type ") && !isPropertyNoopAssignment(trimmed)) diagnostics.push(slop(relativePath, i + 1, "ai-slop/empty-function", "info", "Empty function body — possible stub or unfinished implementation", "Implement the function body or add a comment explaining why it's empty", false));
 	}
 	return diagnostics;
 };
@@ -1540,9 +1557,8 @@ const detectSwallowedExceptions = async (context) => {
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		for (const { pattern, languages, message } of SWALLOWED_EXCEPTION_PATTERNS) {
 			if (!languages.includes(ext)) continue;
-			let match;
 			const regex = new RegExp(pattern.source, pattern.flags + (pattern.flags.includes("g") ? "" : "g"));
-			while ((match = regex.exec(content)) !== null) {
+			for (const match of content.matchAll(regex)) {
 				if (isIntentionalIgnore(match[0], ext)) continue;
 				const line = content.slice(0, match.index).split("\n").length;
 				diagnostics.push({
@@ -1558,240 +1574,80 @@ const detectSwallowedExceptions = async (context) => {
 					fixable: false
 				});
 			}
-		}
-	}
-	return diagnostics;
-};
-
-//#endregion
-//#region src/engines/ai-slop/go-patterns.ts
-const GO_EXTENSIONS = new Set([".go"]);
-const PACKAGE_DECL_RE = /^\s*package\s+(\w+)/;
-const PANIC_CALL_RE = /\bpanic\s*\(/;
-const COMMENT_LINE_RE$1 = /^\s*\/\//;
-const NIL_GUARD_RE = /^\s*if\s+[\w.]+(?:\(\))?\s*==\s*nil\s*\{?\s*$/;
-const SHORT_STRING_PANIC_RE = /\bpanic\s*\(\s*"[^"]{1,40}"\s*\)/;
-const detectPackageName = (lines) => {
-	for (const line of lines) {
-		const m = PACKAGE_DECL_RE.exec(line);
-		if (m) return m[1];
-	}
-	return null;
-};
-const PANIC_INTENT_LOOKBACK = 3;
-const hasIntentComment$1 = (lines, panicLineIdx) => {
-	for (let j = panicLineIdx - 1; j >= Math.max(0, panicLineIdx - PANIC_INTENT_LOOKBACK); j--) if (COMMENT_LINE_RE$1.test(lines[j])) return true;
-	return false;
-};
-const isNilGuardPanic = (lines, panicLineIdx, line) => {
-	if (!SHORT_STRING_PANIC_RE.test(line)) return false;
-	for (let j = panicLineIdx - 1; j >= Math.max(0, panicLineIdx - 2); j--) {
-		const prev = lines[j];
-		if (prev.trim() === "") continue;
-		return NIL_GUARD_RE.test(prev);
-	}
-	return false;
-};
-const flagLibraryPanic = (lines, relPath, pkg, out) => {
-	if (pkg === "main") return;
-	for (let i = 0; i < lines.length; i++) {
-		const line = lines[i];
-		if (COMMENT_LINE_RE$1.test(line)) continue;
-		PANIC_CALL_RE.lastIndex = 0;
-		if (!PANIC_CALL_RE.test(line)) continue;
-		if (hasIntentComment$1(lines, i)) continue;
-		if (isNilGuardPanic(lines, i, line)) continue;
-		out.push({
-			filePath: relPath,
-			engine: "ai-slop",
-			rule: "ai-slop/go-library-panic",
-			severity: "warning",
-			message: `\`panic()\` in package \`${pkg}\` (non-main, non-test). Library code should return errors, not unwind the goroutine.`,
-			help: "Convert to `return fmt.Errorf(...)` (or a wrapped error) and let the caller decide. Reserve `panic` for genuinely-impossible states (corrupt internal invariants), and mark those with a comment so future readers know it's intentional.",
-			line: i + 1,
-			column: 1,
-			category: "AI Slop",
-			fixable: false
-		});
-	}
-};
-const detectGoPatterns = async (context) => {
-	const diagnostics = [];
-	const files = getSourceFiles(context);
-	for (const filePath of files) {
-		if (!GO_EXTENSIONS.has(path.extname(filePath))) continue;
-		if (isAutoGenerated(filePath)) continue;
-		if (filePath.endsWith("_test.go")) continue;
-		let content;
-		try {
-			content = fs.readFileSync(filePath, "utf-8");
-		} catch {
-			continue;
-		}
-		const lines = content.split("\n");
-		const pkg = detectPackageName(lines);
-		if (!pkg) continue;
-		flagLibraryPanic(lines, path.relative(context.rootDirectory, filePath), pkg, diagnostics);
-	}
-	return diagnostics;
-};
-
-//#endregion
-//#region src/engines/ai-slop/hardcoded-config.ts
-const SOURCE_EXTENSIONS = new Set([
-	".ts",
-	".tsx",
-	".js",
-	".jsx",
-	".mjs",
-	".cjs",
-	".py",
-	".go",
-	".rs",
-	".rb",
-	".java",
-	".php"
-]);
-const URL_LITERAL_RE = /(["'`])(https?:\/\/[^"'`\s<>]+)\1/g;
-const ID_LITERAL_RE = /(["'])([A-Za-z][A-Za-z0-9_-]{15,})\1/g;
-const ENV_REFERENCE_RE = /\b(?:process\.env|import\.meta\.env|Deno\.env|os\.environ|getenv|env\()\b/i;
-const DOC_URL_CONTEXT_RE = /\b(?:docs?|documentation|homepage|repository|bugs|license|readme|source|svgUrl|pageUrl|href|link|install)\b/i;
-const URL_CONFIG_CONTEXT_RE = /\b(?:api|base[_-]?url|baseUrl|endpoint|host|origin|webhook|callback|redirect|server|service|domain|url)\b/i;
-const ENVIRONMENT_HOST_RE = /(?:^|[.-])(?:api|app|admin|auth|staging|stage|prod|dev|sandbox|webhook|internal)(?:[.-]|$)|^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)$/i;
-const ID_CONTEXT_RE = /(?:^|[^A-Za-z0-9])(?:api[_-]?key|client[_-]?id|project[_-]?id|org(?:anization)?[_-]?id|workspace[_-]?id|tenant[_-]?id|price[_-]?id|product[_-]?id|customer[_-]?id|subscription[_-]?id|account[_-]?id|app[_-]?id|key|token|secret)(?:$|[^A-Za-z0-9])/i;
-const MIGRATION_PATH_RE$1 = /(?:^|[\\/])(?:migrations?|db[\\/]migrate)[\\/]/i;
-const PLACEHOLDER_HOSTS = new Set([
-	"example.com",
-	"example.org",
-	"example.net"
-]);
-const LOOPBACK_HOSTS = new Set([
-	"localhost",
-	"127.0.0.1",
-	"0.0.0.0",
-	"::1"
-]);
-const VENDOR_API_DOMAINS = [
-	"github.com",
-	"githubusercontent.com",
-	"googleapis.com",
-	"accounts.google.com",
-	"stripe.com",
-	"openai.com",
-	"anthropic.com",
-	"slack.com",
-	"twilio.com",
-	"sendgrid.com",
-	"mailgun.net",
-	"cloudflare.com",
-	"discord.com",
-	"telegram.org",
-	"login.microsoftonline.com",
-	"graph.microsoft.com",
-	"twitter.com",
-	"x.com",
-	"twimg.com",
-	"t.co",
-	"api.telegram.org"
-];
-const isVendorApiHost = (host) => VENDOR_API_DOMAINS.some((d) => host === d || host.endsWith(`.${d}`));
-const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
-const HARDCODED_URL_FINDING = {
-	rule: "ai-slop/hardcoded-url",
-	message: "Hardcoded environment URL in production code",
-	help: "Move deployment-specific URLs to environment variables or a typed config module. Keep only stable documentation/public links inline."
-};
-const HARDCODED_ID_FINDING = {
-	rule: "ai-slop/hardcoded-id",
-	message: "Hardcoded provider/project ID in production code",
-	help: "Move provider IDs, tenant IDs, price IDs, and similar deployment-specific identifiers to env/config so agents do not bake one environment into source."
-};
-const makeFinding = (filePath, line, spec) => ({
-	filePath,
-	engine: "ai-slop",
-	rule: spec.rule,
-	severity: "warning",
-	message: spec.message,
-	help: spec.help,
-	line,
-	column: 0,
-	category: "AI Slop",
-	fixable: false
-});
-const isCommentOnlyLine = (trimmed) => trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*");
-const commentStartsBefore = (line, index, ext) => {
-	const prefix = line.slice(0, index);
-	if (ext === ".py" || ext === ".rb") return prefix.includes("#");
-	if (ext === ".php") return prefix.includes("//") || prefix.includes("#");
-	return prefix.includes("//") || prefix.includes("/*");
-};
-const safeUrlHost = (urlText) => {
-	try {
-		return new URL(urlText).hostname.toLowerCase();
-	} catch {
-		return null;
+		}
 	}
+	return diagnostics;
 };
-const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
-const shouldFlagUrlLiteral = (line, urlText) => {
-	if (isEnvBackedLine(line)) return false;
-	const host = safeUrlHost(urlText);
-	if (!host) return false;
-	if (PLACEHOLDER_HOSTS.has(host)) return false;
-	if (LOOPBACK_HOSTS.has(host)) return false;
-	if (isVendorApiHost(host)) return false;
-	if (DOC_URL_CONTEXT_RE.test(line) && !ENVIRONMENT_HOST_RE.test(host)) return false;
-	return URL_CONFIG_CONTEXT_RE.test(line) || ENVIRONMENT_HOST_RE.test(host);
+
+//#endregion
+//#region src/engines/ai-slop/go-patterns.ts
+const GO_EXTENSIONS = new Set([".go"]);
+const PACKAGE_DECL_RE = /^\s*package\s+(\w+)/;
+const PANIC_CALL_RE = /\bpanic\s*\(/;
+const COMMENT_LINE_RE$1 = /^\s*\/\//;
+const NIL_GUARD_RE = /^\s*if\s+[\w.]+(?:\(\))?\s*==\s*nil\s*\{?\s*$/;
+const SHORT_STRING_PANIC_RE = /\bpanic\s*\(\s*"[^"]{1,40}"\s*\)/;
+const detectPackageName = (lines) => {
+	for (const line of lines) {
+		const m = PACKAGE_DECL_RE.exec(line);
+		if (m) return m[1];
+	}
+	return null;
 };
-const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+$/;
-const hasUsefulIdShape = (value) => {
-	if (PLACEHOLDER_ID_RE.test(value)) return false;
-	if (ENV_VAR_NAME_RE.test(value)) return false;
-	if (/^https?:\/\//i.test(value)) return false;
-	if (/^[A-Za-z]+$/.test(value)) return false;
-	return /[0-9]/.test(value);
+const PANIC_INTENT_LOOKBACK = 3;
+const hasIntentComment$1 = (lines, panicLineIdx) => {
+	for (let j = panicLineIdx - 1; j >= Math.max(0, panicLineIdx - PANIC_INTENT_LOOKBACK); j--) if (COMMENT_LINE_RE$1.test(lines[j])) return true;
+	return false;
 };
-const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
-	const diagnostics = [];
-	if (isCommentOnlyLine(line.trim())) return diagnostics;
-	URL_LITERAL_RE.lastIndex = 0;
-	let urlMatch;
-	while ((urlMatch = URL_LITERAL_RE.exec(line)) !== null) {
-		const urlText = urlMatch[2];
-		if (commentStartsBefore(line, urlMatch.index, ext)) continue;
-		if (!shouldFlagUrlLiteral(line, urlText)) continue;
-		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_URL_FINDING));
-	}
-	if (!ID_CONTEXT_RE.test(line) || isEnvBackedLine(line) || DOC_URL_CONTEXT_RE.test(line)) return diagnostics;
-	ID_LITERAL_RE.lastIndex = 0;
-	let idMatch;
-	while ((idMatch = ID_LITERAL_RE.exec(line)) !== null) {
-		const value = idMatch[2];
-		if (commentStartsBefore(line, idMatch.index, ext)) continue;
-		if (!hasUsefulIdShape(value)) continue;
-		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_ID_FINDING));
+const isNilGuardPanic = (lines, panicLineIdx, line) => {
+	if (!SHORT_STRING_PANIC_RE.test(line)) return false;
+	for (let j = panicLineIdx - 1; j >= Math.max(0, panicLineIdx - 2); j--) {
+		const prev = lines[j];
+		if (prev.trim() === "") continue;
+		return NIL_GUARD_RE.test(prev);
 	}
-	return diagnostics;
+	return false;
 };
-const scanFileForConfigLiterals = (content, relativePath, ext) => {
-	if (!SOURCE_EXTENSIONS.has(ext)) return [];
-	if (isNonProductionPath(relativePath)) return [];
-	if (MIGRATION_PATH_RE$1.test(relativePath)) return [];
-	return content.split("\n").flatMap((line, index) => scanLineForConfigLiterals(line, relativePath, ext, index + 1));
+const flagLibraryPanic = (lines, relPath, pkg, out) => {
+	if (pkg === "main") return;
+	for (let i = 0; i < lines.length; i++) {
+		const line = lines[i];
+		if (COMMENT_LINE_RE$1.test(line)) continue;
+		PANIC_CALL_RE.lastIndex = 0;
+		if (!PANIC_CALL_RE.test(line)) continue;
+		if (hasIntentComment$1(lines, i)) continue;
+		if (isNilGuardPanic(lines, i, line)) continue;
+		out.push({
+			filePath: relPath,
+			engine: "ai-slop",
+			rule: "ai-slop/go-library-panic",
+			severity: "warning",
+			message: `\`panic()\` in package \`${pkg}\` (non-main, non-test). Library code should return errors, not unwind the goroutine.`,
+			help: "Convert to `return fmt.Errorf(...)` (or a wrapped error) and let the caller decide. Reserve `panic` for genuinely-impossible states (corrupt internal invariants), and mark those with a comment so future readers know it's intentional.",
+			line: i + 1,
+			column: 1,
+			category: "AI Slop",
+			fixable: false
+		});
+	}
 };
-const detectHardcodedConfigLiterals = async (context) => {
+const detectGoPatterns = async (context) => {
 	const diagnostics = [];
-	for (const filePath of getSourceFiles(context)) {
+	const files = getSourceFiles(context);
+	for (const filePath of files) {
+		if (!GO_EXTENSIONS.has(path.extname(filePath))) continue;
 		if (isAutoGenerated(filePath)) continue;
+		if (filePath.endsWith("_test.go")) continue;
 		let content;
 		try {
 			content = fs.readFileSync(filePath, "utf-8");
 		} catch {
 			continue;
 		}
-		const relativePath = path.relative(context.rootDirectory, filePath);
-		const ext = path.extname(filePath);
-		diagnostics.push(...scanFileForConfigLiterals(maskComments(content, ext), relativePath, ext));
+		const lines = content.split("\n");
+		const pkg = detectPackageName(lines);
+		if (!pkg) continue;
+		flagLibraryPanic(lines, path.relative(context.rootDirectory, filePath), pkg, diagnostics);
 	}
 	return diagnostics;
 };
@@ -1813,7 +1669,7 @@ const JS_RESOLUTION_EXTENSIONS = [
 	"/index.js",
 	"/index.jsx"
 ];
-const readJson$2 = (filePath) => {
+const readJson$3 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -1828,7 +1684,7 @@ const buildAliasMatcher = (key) => {
 	return (spec) => spec.length >= before.length + after.length && spec.startsWith(before) && spec.endsWith(after);
 };
 const collectAliasMatchersFromConfig = (configPath, matchers) => {
-	const opts = readJson$2(configPath)?.compilerOptions;
+	const opts = readJson$3(configPath)?.compilerOptions;
 	if (!opts || typeof opts !== "object") return;
 	const configDir = path.dirname(configPath);
 	const paths = opts.paths;
@@ -1851,7 +1707,7 @@ const collectTsPathAliases = (rootDir, workspaceDirs) => {
 
 //#endregion
 //#region src/engines/ai-slop/js-workspaces.ts
-const readJson$1 = (filePath) => {
+const readJson$2 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -1871,7 +1727,7 @@ const readWorkspaceGlobs = (rootDir, rootPkg) => {
 			}
 		}
 	}
-	const lerna = readJson$1(path.join(rootDir, "lerna.json"));
+	const lerna = readJson$2(path.join(rootDir, "lerna.json"));
 	if (lerna && Array.isArray(lerna.packages)) {
 		for (const g of lerna.packages) if (typeof g === "string") globs.push(g);
 	}
@@ -1893,15 +1749,18 @@ const readWorkspaceGlobs = (rootDir, rootPkg) => {
 	}
 	return globs;
 };
+const readWorkspaceEntries = (dir) => {
+	try {
+		return fs.readdirSync(dir, { withFileTypes: true });
+	} catch {
+		return [];
+	}
+};
 const expandWorkspaceDirs = (rootDir, globs) => {
 	const dirs = [];
 	for (const glob of globs) if (glob.endsWith("/*")) {
 		const parent = path.join(rootDir, glob.slice(0, -2));
-		try {
-			for (const entry of fs.readdirSync(parent, { withFileTypes: true })) if (entry.isDirectory()) dirs.push(path.join(parent, entry.name));
-		} catch {
-			continue;
-		}
+		for (const entry of readWorkspaceEntries(parent)) if (entry.isDirectory()) dirs.push(path.join(parent, entry.name));
 	} else if (!glob.includes("*")) dirs.push(path.join(rootDir, glob));
 	return dirs;
 };
@@ -2269,7 +2128,7 @@ const JS_EXTENSIONS$1 = new Set([
 	".cjs"
 ]);
 const PY_EXTENSIONS$2 = new Set([".py"]);
-const readJson = (filePath) => {
+const readJson$1 = (filePath) => {
 	try {
 		return JSON.parse(fs.readFileSync(filePath, "utf-8"));
 	} catch {
@@ -2313,7 +2172,7 @@ const collectNestedManifests = (rootDir, jsDeps) => {
 			const full = path.join(dir, entry.name);
 			if (entry.isDirectory()) walk(full, depth + 1);
 			else if (entry.name === "package.json" && depth > 0) {
-				const wsPkg = readJson(full);
+				const wsPkg = readJson$1(full);
 				if (!wsPkg) continue;
 				if (typeof wsPkg.name === "string") jsDeps.add(wsPkg.name);
 				addDepsFromPkg(wsPkg, jsDeps);
@@ -2325,13 +2184,13 @@ const collectNestedManifests = (rootDir, jsDeps) => {
 const collectJsDeps = (rootDir, jsDeps) => {
 	const pkgPath = path.join(rootDir, "package.json");
 	if (!fs.existsSync(pkgPath)) return false;
-	const pkg = readJson(pkgPath);
+	const pkg = readJson$1(pkgPath);
 	if (!pkg || typeof pkg !== "object") return false;
 	addDepsFromPkg(pkg, jsDeps);
 	if (typeof pkg.name === "string") jsDeps.add(pkg.name);
 	const workspaceDirs = collectWorkspaceDirs(rootDir, pkg);
 	for (const wsDir of workspaceDirs) {
-		const wsPkg = readJson(path.join(wsDir, "package.json"));
+		const wsPkg = readJson$1(path.join(wsDir, "package.json"));
 		if (!wsPkg) continue;
 		if (typeof wsPkg.name === "string") jsDeps.add(wsPkg.name);
 		addDepsFromPkg(wsPkg, jsDeps);
@@ -2360,7 +2219,11 @@ const VIRTUAL_MODULE_PREFIXES = [
 	"astro:",
 	"virtual:",
 	"bun:",
-	"file:"
+	"file:",
+	"http:",
+	"https:",
+	"jsr:",
+	"npm:"
 ];
 const isJsVirtualModule = (spec, manifest) => {
 	if (VIRTUAL_MODULE_PREFIXES.some((p) => spec.startsWith(p))) return true;
@@ -2461,48 +2324,230 @@ const extractPyImports = (content) => {
 			});
 		}
 	}
-	return results;
+	return results;
+};
+const checkJsImport = (rawSpec, manifest, tsAliasMatchers) => {
+	const spec = stripImportQuery(rawSpec);
+	if (spec.length === 0) return null;
+	if (isJsRelativeOrAbsolute(spec)) return null;
+	if (isJsBuiltin(spec)) return null;
+	if (isJsVirtualModule(spec, manifest)) return null;
+	if (tsAliasMatchers.some((m) => m(spec))) return null;
+	const pkg = packageNameFromImport(spec);
+	if (manifest.jsDeps.has(pkg)) return null;
+	if (pkg.startsWith("@types/")) {
+		const realPkg = pkg.slice(7);
+		if (manifest.jsDeps.has(realPkg)) return null;
+	}
+	if (manifest.jsDeps.has(typesPackageName(pkg))) return null;
+	return pkg;
+};
+const normalizePyName = (name) => name.toLowerCase().replace(/_/g, "-");
+const checkPyImport = (spec, manifest) => {
+	const root = spec.split(".")[0];
+	if (PYTHON_STDLIB.has(root)) return null;
+	const normalized = normalizePyName(root);
+	if (manifest.pyDeps.has(normalized)) return null;
+	if ((PYTHON_IMPORT_TO_PIP[root] ?? PYTHON_IMPORT_TO_PIP[normalized])?.some((dist) => manifest.pyDeps.has(normalizePyName(dist)))) return null;
+	return root;
+};
+const detectHallucinatedImports = async (context) => {
+	const rootPkg = readJson$1(path.join(context.rootDirectory, "package.json"));
+	const workspaceDirs = collectWorkspaceDirs(context.rootDirectory, rootPkg);
+	const manifest = loadManifest(context.rootDirectory);
+	if (!manifest.hasJsManifest && !manifest.hasPyManifest) return [];
+	const tsAliasMatchers = manifest.hasJsManifest ? collectTsPathAliases(context.rootDirectory, workspaceDirs) : [];
+	const diagnostics = [];
+	const files = getSourceFiles(context);
+	for (const filePath of files) {
+		const ext = path.extname(filePath);
+		const isJs = JS_EXTENSIONS$1.has(ext);
+		const isPy = PY_EXTENSIONS$2.has(ext);
+		if (!isJs && !isPy) continue;
+		if (isJs && !manifest.hasJsManifest) continue;
+		if (isPy && !manifest.hasPyManifest) continue;
+		if (isAutoGenerated(filePath)) continue;
+		let content;
+		try {
+			content = fs.readFileSync(filePath, "utf-8");
+		} catch {
+			continue;
+		}
+		const relPath = path.relative(context.rootDirectory, filePath);
+		if (isNonProductionPath(relPath)) continue;
+		const imports = isJs ? extractJsImports(content) : extractPyImports(content);
+		for (const { spec, line } of imports) {
+			const hallucinated = isJs ? checkJsImport(spec, manifest, tsAliasMatchers) : checkPyImport(spec, manifest);
+			if (!hallucinated) continue;
+			const manifestLabel = isJs ? "package.json" : "requirements.txt / pyproject.toml / Pipfile";
+			diagnostics.push({
+				filePath: relPath,
+				engine: "ai-slop",
+				rule: "ai-slop/hallucinated-import",
+				severity: "error",
+				message: `Imports "${hallucinated}" but it's not declared in ${manifestLabel}${isPy ? " and isn't Python stdlib" : ""}`,
+				help: "Most often this is an LLM hallucinating a plausible-sounding package name. Either add the package to your manifest, or correct the import.",
+				line,
+				column: 1,
+				category: "AI Slop",
+				fixable: false
+			});
+		}
+	}
+	return diagnostics;
+};
+
+//#endregion
+//#region src/engines/ai-slop/hardcoded-config.ts
+const SOURCE_EXTENSIONS = new Set([
+	".ts",
+	".tsx",
+	".js",
+	".jsx",
+	".mjs",
+	".cjs",
+	".py",
+	".go",
+	".rs",
+	".rb",
+	".java",
+	".php"
+]);
+const URL_LITERAL_RE = /(["'`])(https?:\/\/[^"'`\s<>]+)\1/g;
+const ID_LITERAL_RE = /(["'])([A-Za-z][A-Za-z0-9_-]{15,})\1/g;
+const ENV_REFERENCE_RE = /\b(?:process\.env|import\.meta\.env|Deno\.env|os\.environ|getenv|env\()\b/i;
+const DOC_URL_CONTEXT_RE = /\b(?:docs?|documentation|homepage|repository|bugs|license|readme|source|svgUrl|pageUrl|href|link|install)\b/i;
+const URL_CONFIG_CONTEXT_RE = /\b(?:api|base[_-]?url|baseUrl|endpoint|host|origin|webhook|callback|redirect|server|service|domain|url)\b/i;
+const ENVIRONMENT_HOST_RE = /(?:^|[.-])(?:api|app|admin|auth|staging|stage|prod|dev|sandbox|webhook|internal)(?:[.-]|$)|^(?:localhost|127\.0\.0\.1|0\.0\.0\.0)$/i;
+const ID_CONTEXT_RE = /(?:^|[^A-Za-z0-9])(?:api[_-]?key|client[_-]?id|project[_-]?id|org(?:anization)?[_-]?id|workspace[_-]?id|tenant[_-]?id|price[_-]?id|product[_-]?id|customer[_-]?id|subscription[_-]?id|account[_-]?id|app[_-]?id|key|token|secret)(?:$|[^A-Za-z0-9])/i;
+const MIGRATION_PATH_RE$1 = /(?:^|[\\/])(?:migrations?|db[\\/]migrate)[\\/]/i;
+const PLACEHOLDER_HOSTS = new Set([
+	"example.com",
+	"example.org",
+	"example.net"
+]);
+const LOOPBACK_HOSTS = new Set([
+	"localhost",
+	"127.0.0.1",
+	"0.0.0.0",
+	"::1"
+]);
+const VENDOR_API_DOMAINS = [
+	"github.com",
+	"githubusercontent.com",
+	"googleapis.com",
+	"accounts.google.com",
+	"stripe.com",
+	"openai.com",
+	"anthropic.com",
+	"slack.com",
+	"twilio.com",
+	"sendgrid.com",
+	"mailgun.net",
+	"cloudflare.com",
+	"discord.com",
+	"telegram.org",
+	"login.microsoftonline.com",
+	"graph.microsoft.com",
+	"twitter.com",
+	"x.com",
+	"twimg.com",
+	"t.co",
+	"api.telegram.org"
+];
+const isVendorApiHost = (host) => VENDOR_API_DOMAINS.some((d) => host === d || host.endsWith(`.${d}`));
+const PLACEHOLDER_ID_RE = /^(?:changeme|replace[_-]?me|your[_-]|example|placeholder|todo)/i;
+const PROVIDER_ID_RE = /^(?:price|prod|cus|sub|acct|org|app|tenant|workspace|project|client|key|tok|token|sk|pk)_[A-Za-z0-9][A-Za-z0-9_-]{7,}$/i;
+const UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+const READABLE_KEY_RE = /^[a-z][a-z0-9]*(?:[_-][a-z0-9]+){2,}$/;
+const HARDCODED_URL_FINDING = {
+	rule: "ai-slop/hardcoded-url",
+	message: "Hardcoded environment URL in production code",
+	help: "Move deployment-specific URLs to environment variables or a typed config module. Keep only stable documentation/public links inline."
+};
+const HARDCODED_ID_FINDING = {
+	rule: "ai-slop/hardcoded-id",
+	message: "Hardcoded provider/project ID in production code",
+	help: "Move provider IDs, tenant IDs, price IDs, and similar deployment-specific identifiers to env/config so agents do not bake one environment into source."
+};
+const makeFinding = (filePath, line, spec) => ({
+	filePath,
+	engine: "ai-slop",
+	rule: spec.rule,
+	severity: "warning",
+	message: spec.message,
+	help: spec.help,
+	line,
+	column: 0,
+	category: "AI Slop",
+	fixable: false
+});
+const isCommentOnlyLine = (trimmed) => trimmed.startsWith("//") || trimmed.startsWith("#") || trimmed.startsWith("*") || trimmed.startsWith("/*");
+const commentStartsBefore = (line, index, ext) => {
+	const prefix = line.slice(0, index);
+	if (ext === ".py" || ext === ".rb") return prefix.includes("#");
+	if (ext === ".php") return prefix.includes("//") || prefix.includes("#");
+	return prefix.includes("//") || prefix.includes("/*");
+};
+const safeUrlHost = (urlText) => {
+	try {
+		return new URL(urlText).hostname.toLowerCase();
+	} catch {
+		return null;
+	}
 };
-const checkJsImport = (rawSpec, manifest, tsAliasMatchers) => {
-	const spec = stripImportQuery(rawSpec);
-	if (spec.length === 0) return null;
-	if (isJsRelativeOrAbsolute(spec)) return null;
-	if (isJsBuiltin(spec)) return null;
-	if (isJsVirtualModule(spec, manifest)) return null;
-	if (tsAliasMatchers.some((m) => m(spec))) return null;
-	const pkg = packageNameFromImport(spec);
-	if (manifest.jsDeps.has(pkg)) return null;
-	if (pkg.startsWith("@types/")) {
-		const realPkg = pkg.slice(7);
-		if (manifest.jsDeps.has(realPkg)) return null;
+const isEnvBackedLine = (line) => ENV_REFERENCE_RE.test(line);
+const TEMPLATE_INTERPOLATION_START = "${";
+const shouldFlagUrlLiteral = (line, urlText) => {
+	if (isEnvBackedLine(line)) return false;
+	if (urlText.includes(TEMPLATE_INTERPOLATION_START) && /\bnew\s+URL\s*\(/.test(line)) return false;
+	const host = safeUrlHost(urlText);
+	if (!host) return false;
+	if (PLACEHOLDER_HOSTS.has(host)) return false;
+	if (LOOPBACK_HOSTS.has(host)) return false;
+	if (isVendorApiHost(host)) return false;
+	if (DOC_URL_CONTEXT_RE.test(line) && !ENVIRONMENT_HOST_RE.test(host)) return false;
+	return URL_CONFIG_CONTEXT_RE.test(line) || ENVIRONMENT_HOST_RE.test(host);
+};
+const ENV_VAR_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+$/;
+const hasUsefulIdShape = (value) => {
+	if (PLACEHOLDER_ID_RE.test(value)) return false;
+	if (ENV_VAR_NAME_RE.test(value)) return false;
+	if (/^https?:\/\//i.test(value)) return false;
+	if (/^[A-Za-z]+$/.test(value)) return false;
+	if (READABLE_KEY_RE.test(value) && !PROVIDER_ID_RE.test(value)) return false;
+	if (PROVIDER_ID_RE.test(value)) return true;
+	if (UUID_RE.test(value)) return true;
+	if (!/[0-9]/.test(value)) return false;
+	return value.length >= 24 && !/[_-]/.test(value) && /[a-z]/.test(value) && /[A-Z]/.test(value);
+};
+const scanLineForConfigLiterals = (line, relativePath, ext, lineNumber) => {
+	const diagnostics = [];
+	if (isCommentOnlyLine(line.trim())) return diagnostics;
+	for (const urlMatch of line.matchAll(URL_LITERAL_RE)) {
+		const urlText = urlMatch[2];
+		if (commentStartsBefore(line, urlMatch.index, ext)) continue;
+		if (!shouldFlagUrlLiteral(line, urlText)) continue;
+		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_URL_FINDING));
 	}
-	if (manifest.jsDeps.has(typesPackageName(pkg))) return null;
-	return pkg;
+	if (!ID_CONTEXT_RE.test(line) || isEnvBackedLine(line) || DOC_URL_CONTEXT_RE.test(line)) return diagnostics;
+	for (const idMatch of line.matchAll(ID_LITERAL_RE)) {
+		const value = idMatch[2];
+		if (commentStartsBefore(line, idMatch.index, ext)) continue;
+		if (!hasUsefulIdShape(value)) continue;
+		diagnostics.push(makeFinding(relativePath, lineNumber, HARDCODED_ID_FINDING));
+	}
+	return diagnostics;
 };
-const normalizePyName = (name) => name.toLowerCase().replace(/_/g, "-");
-const checkPyImport = (spec, manifest) => {
-	const root = spec.split(".")[0];
-	if (PYTHON_STDLIB.has(root)) return null;
-	const normalized = normalizePyName(root);
-	if (manifest.pyDeps.has(normalized)) return null;
-	if ((PYTHON_IMPORT_TO_PIP[root] ?? PYTHON_IMPORT_TO_PIP[normalized])?.some((dist) => manifest.pyDeps.has(normalizePyName(dist)))) return null;
-	return root;
+const scanFileForConfigLiterals = (content, relativePath, ext) => {
+	if (!SOURCE_EXTENSIONS.has(ext)) return [];
+	if (isNonProductionPath(relativePath)) return [];
+	if (MIGRATION_PATH_RE$1.test(relativePath)) return [];
+	return content.split("\n").flatMap((line, index) => scanLineForConfigLiterals(line, relativePath, ext, index + 1));
 };
-const detectHallucinatedImports = async (context) => {
-	const rootPkg = readJson(path.join(context.rootDirectory, "package.json"));
-	const workspaceDirs = collectWorkspaceDirs(context.rootDirectory, rootPkg);
-	const manifest = loadManifest(context.rootDirectory);
-	if (!manifest.hasJsManifest && !manifest.hasPyManifest) return [];
-	const tsAliasMatchers = manifest.hasJsManifest ? collectTsPathAliases(context.rootDirectory, workspaceDirs) : [];
+const detectHardcodedConfigLiterals = async (context) => {
 	const diagnostics = [];
-	const files = getSourceFiles(context);
-	for (const filePath of files) {
-		const ext = path.extname(filePath);
-		const isJs = JS_EXTENSIONS$1.has(ext);
-		const isPy = PY_EXTENSIONS$2.has(ext);
-		if (!isJs && !isPy) continue;
-		if (isJs && !manifest.hasJsManifest) continue;
-		if (isPy && !manifest.hasPyManifest) continue;
+	for (const filePath of getSourceFiles(context)) {
 		if (isAutoGenerated(filePath)) continue;
 		let content;
 		try {
@@ -2510,30 +2555,18 @@ const detectHallucinatedImports = async (context) => {
 		} catch {
 			continue;
 		}
-		const relPath = path.relative(context.rootDirectory, filePath);
-		if (isNonProductionPath(relPath)) continue;
-		const imports = isJs ? extractJsImports(content) : extractPyImports(content);
-		for (const { spec, line } of imports) {
-			const hallucinated = isJs ? checkJsImport(spec, manifest, tsAliasMatchers) : checkPyImport(spec, manifest);
-			if (!hallucinated) continue;
-			const manifestLabel = isJs ? "package.json" : "requirements.txt / pyproject.toml / Pipfile";
-			diagnostics.push({
-				filePath: relPath,
-				engine: "ai-slop",
-				rule: "ai-slop/hallucinated-import",
-				severity: "error",
-				message: `Imports "${hallucinated}" but it's not declared in ${manifestLabel}${isPy ? " and isn't Python stdlib" : ""}`,
-				help: "Most often this is an LLM hallucinating a plausible-sounding package name. Either add the package to your manifest, or correct the import.",
-				line,
-				column: 1,
-				category: "AI Slop",
-				fixable: false
-			});
-		}
+		const relativePath = path.relative(context.rootDirectory, filePath);
+		const ext = path.extname(filePath);
+		diagnostics.push(...scanFileForConfigLiterals(maskComments(content, ext), relativePath, ext));
 	}
 	return diagnostics;
 };
 
+//#endregion
+//#region src/utils/suppress.ts
+const DIRECTIVE_RE = /(?:\/\/|\/\*|#|<!--|\*)\s*aislop-ignore-(next-line|line|file)\b([^\n]*)/;
+const isAislopDirectiveLine = (line) => DIRECTIVE_RE.test(line);
+
 //#endregion
 //#region src/engines/ai-slop/comment-blocks.ts
 const stripJsdocLine = (line) => line.replace(/^\s*\/\*\*+\s?/, "").replace(/\s*\*+\/\s*$/, "").replace(/^\s*\*\s?/, "").trim();
@@ -2557,6 +2590,7 @@ const getCommentSyntax = (ext) => {
 };
 const getMatchedLinePrefix = (line, syntax) => {
 	const trimmed = line.trimStart();
+	if (isAislopDirectiveLine(trimmed)) return null;
 	for (const prefix of syntax.linePrefixes) {
 		if (!trimmed.startsWith(prefix)) continue;
 		if (prefix === "#" && trimmed.startsWith("#!")) return null;
@@ -3356,9 +3390,7 @@ const isLogOnlyBody = (body) => {
 };
 const detectJsSilentRecovery = (content, relPath) => {
 	const out = [];
-	CATCH_HEAD_RE.lastIndex = 0;
-	let match;
-	while ((match = CATCH_HEAD_RE.exec(content)) !== null) {
+	for (const match of content.matchAll(CATCH_HEAD_RE)) {
 		const body = extractCatchBody(content, match.index + match[0].length - 1);
 		if (body === null) continue;
 		if (!isLogOnlyBody(body)) continue;
@@ -3534,18 +3566,22 @@ const extractPyImportedSymbols = (lines) => {
 			}
 			continue;
 		}
-		const importMatch = trimmed.match(/^import\s+([\w.]+)(?:\s+as\s+(\w+))?/);
+		const importMatch = trimmed.match(/^import\s+(.+)/);
 		if (importMatch) {
 			importLines.add(i);
-			const alias = importMatch[2];
-			if (alias && alias === importMatch[1]) continue;
-			const simpleName = (alias ?? importMatch[1]).split(".")[0];
-			if (simpleName && /^\w+$/.test(simpleName)) symbols.push({
-				name: simpleName,
-				line: i + 1,
-				isDefault: false,
-				isNamespace: true
-			});
+			for (const clause of importMatch[1].replace(/#.*$/, "").split(",")) {
+				const clauseMatch = clause.trim().match(/^([\w.]+)(?:\s+as\s+(\w+))?/);
+				if (!clauseMatch) continue;
+				const alias = clauseMatch[2];
+				if (alias && alias === clauseMatch[1]) continue;
+				const simpleName = (alias ?? clauseMatch[1]).split(".")[0];
+				if (simpleName && /^\w+$/.test(simpleName)) symbols.push({
+					name: simpleName,
+					line: i + 1,
+					isDefault: false,
+					isNamespace: true
+				});
+			}
 		}
 	}
 	return {
@@ -3555,8 +3591,7 @@ const extractPyImportedSymbols = (lines) => {
 };
 const isSymbolUsed = (name, content, importLines, lines) => {
 	const pattern = new RegExp(`\\b${name}\\b`, "g");
-	let match;
-	while ((match = pattern.exec(content)) !== null) {
+	for (const match of content.matchAll(pattern)) {
 		const lineIndex = content.slice(0, match.index).split("\n").length - 1;
 		if (!importLines.has(lineIndex)) return true;
 	}
@@ -3657,6 +3692,18 @@ const aiSlopEngine = {
 
 //#endregion
 //#region src/engines/architecture/matchers.ts
+const REGEX_SPECIAL_CHARS = new Set([
+	".",
+	"+",
+	"^",
+	"$",
+	"{",
+	"}",
+	"(",
+	")",
+	"|",
+	"\\"
+]);
 const minimatch = (filePath, pattern) => {
 	let regex = "";
 	let i = 0;
@@ -3681,7 +3728,7 @@ const minimatch = (filePath, pattern) => {
 				regex += pattern.slice(i, closeIndex + 1);
 				i = closeIndex + 1;
 			}
-		} else if (".+^${}()|\\".includes(ch)) {
+		} else if (REGEX_SPECIAL_CHARS.has(ch)) {
 			regex += `\\${ch}`;
 			i++;
 		} else {
@@ -3701,27 +3748,15 @@ const extractImports = (content, ext) => {
 		".mjs",
 		".cjs"
 	].includes(ext)) {
-		const esPattern = /(?:import|from)\s+["']([^"']+)["']/g;
-		let match;
-		while ((match = esPattern.exec(content)) !== null) imports.push(match[1]);
-		const reqPattern = /require\s*\(\s*["']([^"']+)["']\s*\)/g;
-		while ((match = reqPattern.exec(content)) !== null) imports.push(match[1]);
-	}
-	if (ext === ".py") {
-		const pyPattern = /(?:from|import)\s+([\w.]+)/g;
-		let match;
-		while ((match = pyPattern.exec(content)) !== null) imports.push(match[1]);
+		for (const match of content.matchAll(/(?:import|from)\s+["']([^"']+)["']/g)) imports.push(match[1]);
+		for (const match of content.matchAll(/require\s*\(\s*["']([^"']+)["']\s*\)/g)) imports.push(match[1]);
 	}
+	if (ext === ".py") for (const match of content.matchAll(/(?:from|import)\s+([\w.]+)/g)) imports.push(match[1]);
 	if (ext === ".go") {
-		const goSingleImport = /^\s*import\s+"([^"]+)"/gm;
-		let match;
-		while ((match = goSingleImport.exec(content)) !== null) imports.push(match[1]);
-		const goMultiImport = /import\s*\(([^)]*)\)/gs;
-		while ((match = goMultiImport.exec(content)) !== null) {
+		for (const match of content.matchAll(/^\s*import\s+"([^"]+)"/gm)) imports.push(match[1]);
+		for (const match of content.matchAll(/import\s*\(([^)]*)\)/gs)) {
 			const block = match[1];
-			const pkgPattern = /"([^"]+)"/g;
-			let pkgMatch;
-			while ((pkgMatch = pkgPattern.exec(block)) !== null) imports.push(pkgMatch[1]);
+			for (const pkgMatch of block.matchAll(/"([^"]+)"/g)) imports.push(pkgMatch[1]);
 		}
 	}
 	return imports;
@@ -3848,10 +3883,10 @@ const architectureEngine = {
 //#endregion
 //#region src/engines/code-quality/function-boundaries.ts
 const PYTHON_CONTROL_FLOW_RE = /^\s*(?:if|for|while|with|try|except|else|elif|finally|def|class)\b/;
-const ARROW_BLOCK_RE = /* @__PURE__ */ new RegExp("=>\\s*\\{");
-const ARROW_END_RE = /* @__PURE__ */ new RegExp("=>\\s*$");
-const BRACE_START_RE = /* @__PURE__ */ new RegExp("^\\s*\\{");
-const NEW_STATEMENT_RE = /* @__PURE__ */ new RegExp("^(?:export\\s+)?(?:const|let|var|function|class)\\s");
+const ARROW_BLOCK_RE = /=>\s*\{/;
+const ARROW_END_RE = /=>\s*$/;
+const BRACE_START_RE = /^\s*\{/;
+const NEW_STATEMENT_RE = /^(?:export\s+)?(?:const|let|var|function|class)\s/;
 const isControlFlowBrace = (lineText, braceIndex) => {
 	const before = lineText.substring(0, braceIndex).trimEnd();
 	if (before.endsWith(")")) return true;
@@ -4037,14 +4072,14 @@ const countTemplateLines = (bodyLines) => {
 	let templateLineCount = 0;
 	for (const line of bodyLines) {
 		const startedInside = insideTemplate;
-		let escape = false;
+		let escaped = false;
 		for (const ch of line) {
-			if (escape) {
-				escape = false;
+			if (escaped) {
+				escaped = false;
 				continue;
 			}
 			if (ch === "\\") {
-				escape = true;
+				escaped = true;
 				continue;
 			}
 			if (ch === "`") insideTemplate = !insideTemplate;
@@ -4435,8 +4470,8 @@ const shouldIncludeIssue = (issueType, filePath) => {
 	return !filePath.replace(/\\/g, "/").includes(".github/workflows/");
 };
 const DEPENDENCY_HELP = {
-	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
-	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `npx aislop fix`.",
+	dependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
+	devDependencies: "This package is listed in package.json but not imported anywhere. Remove it with `npm uninstall` or `aislop fix`.",
 	unlisted: "This package is imported in code but not declared in package.json. Run `npm install` to add it.",
 	unresolved: "This import cannot be resolved. Check for typos or missing packages.",
 	binaries: "This binary is used but its package is not in package.json."
@@ -4743,7 +4778,7 @@ const parseBiomeJsonOutput = (output, rootDir) => {
 				rule: "formatting",
 				severity,
 				message,
-				help: "Run `npx aislop fix` to auto-format",
+				help: "Run `aislop fix` to auto-format",
 				line: entry.location?.start?.line ?? 0,
 				column: entry.location?.start?.column ?? 0,
 				category: "Format",
@@ -4772,7 +4807,7 @@ const FORMATTERS = {
 					rule: "rust-formatting",
 					severity: "warning",
 					message: "Rust file is not formatted correctly",
-					help: "Run `npx aislop fix` to auto-format with rustfmt",
+					help: "Run `aislop fix` to auto-format with rustfmt",
 					line: parseInt(match[2], 10),
 					column: 0,
 					category: "Format",
@@ -4805,7 +4840,7 @@ const FORMATTERS = {
 					rule: offense.cop_name ?? "ruby-formatting",
 					severity: "warning",
 					message: offense.message ?? "Ruby formatting issue",
-					help: "Run `npx aislop fix` to auto-format",
+					help: "Run `aislop fix` to auto-format",
 					line: offense.location?.start_line ?? 0,
 					column: offense.location?.start_column ?? 0,
 					category: "Format",
@@ -4836,7 +4871,7 @@ const FORMATTERS = {
 					rule: "php-formatting",
 					severity: "warning",
 					message: "PHP file is not formatted correctly",
-					help: "Run `npx aislop fix` to auto-format",
+					help: "Run `aislop fix` to auto-format",
 					line: 0,
 					column: 0,
 					category: "Format",
@@ -4880,7 +4915,7 @@ const runGofmt = async (context) => {
 			rule: "go-formatting",
 			severity: "warning",
 			message: "Go file is not formatted correctly",
-			help: "Run `npx aislop fix` to auto-format with gofmt",
+			help: "Run `aislop fix` to auto-format with gofmt",
 			line: 0,
 			column: 0,
 			category: "Format",
@@ -4964,9 +4999,7 @@ const runRuffFormat = async (context) => {
 };
 const parseRuffFormatOutput = (output, rootDir) => {
 	const diagnostics = [];
-	const filePattern = /^--- (.+)$/gm;
-	let match;
-	while ((match = filePattern.exec(output)) !== null) {
+	for (const match of output.matchAll(/^--- (.+)$/gm)) {
 		const filePath = getRuffDiagnosticPath(rootDir, match[1]);
 		diagnostics.push({
 			filePath,
@@ -4974,7 +5007,7 @@ const parseRuffFormatOutput = (output, rootDir) => {
 			rule: "python-formatting",
 			severity: "warning",
 			message: "Python file is not formatted correctly",
-			help: "Run `npx aislop fix` to auto-format with ruff",
+			help: "Run `aislop fix` to auto-format with ruff",
 			line: 0,
 			column: 0,
 			category: "Format",
@@ -4993,10 +5026,10 @@ const formatEngine = {
 		const { languages, installedTools } = context;
 		const promises = [];
 		if (languages.includes("typescript") || languages.includes("javascript")) promises.push(runBiomeFormat(context));
-		if (languages.includes("python") && installedTools["ruff"]) promises.push(runRuffFormat(context));
-		if (languages.includes("go") && installedTools["gofmt"]) promises.push(runGofmt(context));
-		if (languages.includes("rust") && installedTools["rustfmt"]) promises.push(runGenericFormatter(context, "rust"));
-		if (languages.includes("ruby") && installedTools["rubocop"]) promises.push(runGenericFormatter(context, "ruby"));
+		if (languages.includes("python") && installedTools.ruff) promises.push(runRuffFormat(context));
+		if (languages.includes("go") && installedTools.gofmt) promises.push(runGofmt(context));
+		if (languages.includes("rust") && installedTools.rustfmt) promises.push(runGenericFormatter(context, "rust"));
+		if (languages.includes("ruby") && installedTools.rubocop) promises.push(runGenericFormatter(context, "ruby"));
 		if (languages.includes("php") && installedTools["php-cs-fixer"]) promises.push(runGenericFormatter(context, "php"));
 		const results = await Promise.allSettled(promises);
 		for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
@@ -5200,6 +5233,8 @@ const createOxlintConfig = (options) => {
 	if (options.mode === "fix") {
 		rules["no-unused-vars"] = "off";
 		rules["react-hooks/exhaustive-deps"] = "off";
+		rules["jsx-a11y/no-aria-hidden-on-focusable"] = "off";
+		rules["unicorn/no-useless-fallback-in-spread"] = "off";
 	}
 	const plugins = [
 		"import",
@@ -5250,6 +5285,7 @@ const AMBIENT_GLOBAL_DEPS = [
 const SST_PLATFORM_REF_RE = /\/\/\/\s*<reference\s+path=["'][^"']*sst[\\/]+platform[\\/]+config\.d\.ts["']/;
 const ICON_AUTOIMPORT_RE = /^Icon[A-Z]/;
 const NO_UNDEF_IDENT_RE = /^['‘"`]([^'’"`]+)['’"`]/;
+const SUPABASE_FUNCTION_PATH_RE = /(?:^|\/)supabase\/functions\/[^/]+\/.+\.[cm]?[jt]sx?$/;
 const detectAmbientSources = (rootDir) => {
 	const found = /* @__PURE__ */ new Set();
 	const skipDirs = new Set([
@@ -5294,6 +5330,36 @@ const detectAmbientSources = (rootDir) => {
 const extractNoUndefIdentifier = (message) => {
 	return NO_UNDEF_IDENT_RE.exec(message)?.[1] ?? null;
 };
+const looksLikeChromeExtensionManifest = (filePath) => {
+	try {
+		const manifest = JSON.parse(fs.readFileSync(filePath, "utf-8"));
+		return typeof manifest.manifest_version === "number" && ("background" in manifest || "content_scripts" in manifest || "permissions" in manifest);
+	} catch {
+		return false;
+	}
+};
+const chromeExtensionFileCache = /* @__PURE__ */ new Map();
+const isChromeExtensionFile = (rootDir, relativeFilePath) => {
+	const cacheKey = `${rootDir}:${relativeFilePath.split(path.sep).join("/")}`;
+	const cached = chromeExtensionFileCache.get(cacheKey);
+	if (cached !== void 0) return cached;
+	const absolute = path.isAbsolute(relativeFilePath) ? relativeFilePath : path.join(rootDir, relativeFilePath);
+	const root = path.resolve(rootDir);
+	let dir = path.dirname(path.resolve(absolute));
+	let matched = false;
+	while (true) {
+		const relativeToRoot = path.relative(root, dir);
+		if (relativeToRoot.startsWith("..") || path.isAbsolute(relativeToRoot)) break;
+		if (looksLikeChromeExtensionManifest(path.join(dir, "manifest.json"))) {
+			matched = true;
+			break;
+		}
+		if (dir === root) break;
+		dir = path.dirname(dir);
+	}
+	chromeExtensionFileCache.set(cacheKey, matched);
+	return matched;
+};
 const isAmbientFalsePositive = (rule, message, sources) => {
 	if (rule !== "eslint/no-undef") return false;
 	const ident = extractNoUndefIdentifier(message);
@@ -5302,9 +5368,19 @@ const isAmbientFalsePositive = (rule, message, sources) => {
 	if ((sources.has("@types/bun") || sources.has("bun-types")) && ident === "Bun") return true;
 	return false;
 };
+const isRuntimeGlobalFalsePositive = (rule, message, rootDir, relativeFilePath) => {
+	if (rule !== "eslint/no-undef") return false;
+	const ident = extractNoUndefIdentifier(message);
+	if (!ident) return false;
+	const normalized = relativeFilePath.split(path.sep).join("/");
+	if (ident === "Deno" && SUPABASE_FUNCTION_PATH_RE.test(normalized)) return true;
+	if (ident === "chrome" && isChromeExtensionFile(rootDir, relativeFilePath)) return true;
+	return false;
+};
 const sstReferencedFiles = /* @__PURE__ */ new Map();
 const clearSstReferenceCache = () => {
 	sstReferencedFiles.clear();
+	chromeExtensionFileCache.clear();
 };
 const fileReferencesSstPlatform = (rootDir, relativeFilePath) => {
 	const cached = sstReferencedFiles.get(relativeFilePath);
@@ -5356,6 +5432,32 @@ const collectPackageNames = (dir) => {
 	}
 	return names;
 };
+const readJson = (filePath) => {
+	const raw = readTextFile$1(filePath);
+	if (!raw) return null;
+	try {
+		const parsed = JSON.parse(raw);
+		return parsed && typeof parsed === "object" ? parsed : null;
+	} catch {
+		return null;
+	}
+};
+const hasBunRuntime = (rootDir, projectFiles) => {
+	if (fs.existsSync(path.join(rootDir, "bun.lock")) || fs.existsSync(path.join(rootDir, "bun.lockb")) || fs.existsSync(path.join(rootDir, "bunfig.toml"))) return true;
+	const hasBunFiles = projectFiles.some((filePath) => /(?:^|\/)bunfig\.toml$|(?:^|\/)bun\.lockb?$/.test(filePath));
+	const pkg = readJson(path.join(rootDir, "package.json"));
+	if (!pkg) return hasBunFiles;
+	if (typeof pkg.packageManager === "string" && /^bun@/i.test(pkg.packageManager)) return true;
+	const scripts = pkg.scripts;
+	if (scripts && typeof scripts === "object") {
+		for (const command of Object.values(scripts)) if (typeof command === "string" && /(?:^|[;&|()\s])bunx?\s/.test(command)) return true;
+	}
+	return hasBunFiles;
+};
+const hasDenoRuntime = (rootDir, projectFiles) => {
+	if (fs.existsSync(path.join(rootDir, "deno.json")) || fs.existsSync(path.join(rootDir, "deno.jsonc"))) return true;
+	return projectFiles.some((filePath) => /(?:^|\/)deno\.jsonc?$/.test(filePath));
+};
 const AMBIENT_GLOBAL_RE = /^\s*(?:declare\s+)?(?:const|let|var|function|class)\s+([A-Za-z_$][\w$]*)/gm;
 const collectAmbientGlobals = (rootDir) => {
 	const globals = /* @__PURE__ */ new Set();
@@ -5364,12 +5466,11 @@ const collectAmbientGlobals = (rootDir) => {
 		if (!relativePath.endsWith(".d.ts")) continue;
 		const content = readTextFile$1(path.join(rootDir, relativePath));
 		if (!content) continue;
-		AMBIENT_GLOBAL_RE.lastIndex = 0;
-		let match;
-		while ((match = AMBIENT_GLOBAL_RE.exec(content)) !== null) globals.add(match[1]);
+		for (const match of content.matchAll(AMBIENT_GLOBAL_RE)) globals.add(match[1]);
 	}
 	const deps = collectPackageNames(rootDir);
-	if (deps.has("@types/bun") || deps.has("bun-types")) globals.add("Bun");
+	if (deps.has("@types/bun") || deps.has("bun-types") || hasBunRuntime(rootDir, projectFiles)) globals.add("Bun");
+	if (hasDenoRuntime(rootDir, projectFiles)) globals.add("Deno");
 	if (projectFiles.some((filePath) => /(?:^|\/)sst\.config\.ts$/.test(filePath))) for (const name of [
 		"$app",
 		"$config",
@@ -5467,6 +5568,37 @@ const detectTestFramework = (rootDir) => {
 	return null;
 };
 const getOxlintTargets = (context) => getSourceFiles(context).filter((filePath) => OXLINT_EXTENSIONS.has(path.extname(filePath).toLowerCase())).filter((filePath) => !isAutoGenerated(filePath)).map((filePath) => path.relative(context.rootDirectory, filePath).split(path.sep).join("/"));
+const toDiagnostic = (d) => {
+	const { plugin, rule } = parseRuleCode(d.code);
+	const label = d.labels[0];
+	return {
+		filePath: d.filename,
+		engine: "lint",
+		rule: `${plugin}/${rule}`,
+		severity: d.severity,
+		message: d.message.replace(/\S+\.\w+:\d+:\d+[\s\S]*$/, "").trim() || d.message,
+		help: d.help || "",
+		line: label?.span.line ?? 0,
+		column: label?.span.column ?? 0,
+		category: plugin === "react" ? "React" : plugin === "import" ? "Imports" : "Lint",
+		fixable: false
+	};
+};
+const shouldKeepOxlintDiagnostic = (context, ambientSources, seen, d) => {
+	const relativePath = path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath;
+	if (isExcludedFromScan(relativePath)) return false;
+	if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
+	if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
+	if (isRuntimeGlobalFalsePositive(d.rule, d.message, context.rootDirectory, relativePath)) return false;
+	if (isSolidRefFalsePositive(context, d)) return false;
+	if (isContextualTypeScriptFalsePositive(d)) return false;
+	if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
+	if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
+	const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
+	if (seen.has(key)) return false;
+	seen.add(key);
+	return true;
+};
 const runOxlint = async (context) => {
 	const configPath = path.join(os.tmpdir(), `aislop-oxlintrc-${process.pid}.json`);
 	const framework = context.frameworks.find((f) => f !== "none");
@@ -5503,34 +5635,7 @@ const runOxlint = async (context) => {
 			return [];
 		}
 		const seen = /* @__PURE__ */ new Set();
-		return output.diagnostics.map((d) => {
-			const { plugin, rule } = parseRuleCode(d.code);
-			const label = d.labels[0];
-			return {
-				filePath: d.filename,
-				engine: "lint",
-				rule: `${plugin}/${rule}`,
-				severity: d.severity,
-				message: d.message.replace(/\S+\.\w+:\d+:\d+[\s\S]*$/, "").trim() || d.message,
-				help: d.help || "",
-				line: label?.span.line ?? 0,
-				column: label?.span.column ?? 0,
-				category: plugin === "react" ? "React" : plugin === "import" ? "Imports" : "Lint",
-				fixable: false
-			};
-		}).filter((d) => {
-			if (isExcludedFromScan(path.isAbsolute(d.filePath) ? path.relative(context.rootDirectory, d.filePath) : d.filePath)) return false;
-			if (isViteVirtualImportFalsePositive(d.rule, d.message)) return false;
-			if (isAmbientFalsePositive(d.rule, d.message, ambientSources)) return false;
-			if (isSolidRefFalsePositive(context, d)) return false;
-			if (isContextualTypeScriptFalsePositive(d)) return false;
-			if (isUnderscoreUnusedVar(d.rule, d.message)) return false;
-			if (d.rule === "eslint/no-undef" && fileReferencesSstPlatform(context.rootDirectory, d.filePath)) return false;
-			const key = `${d.filePath}:${d.line}:${d.rule}:${d.message}`;
-			if (seen.has(key)) return false;
-			seen.add(key);
-			return true;
-		});
+		return output.diagnostics.map(toDiagnostic).filter((d) => shouldKeepOxlintDiagnostic(context, ambientSources, seen, d));
 	} finally {
 		if (fs.existsSync(configPath)) fs.unlinkSync(configPath);
 	}
@@ -5581,11 +5686,11 @@ const lintEngine = {
 			promises.push(runOxlint(context));
 			if (context.config.lint.typecheck) promises.push(import("./typecheck-By967nny.js").then((mod) => mod.runTypecheck(context)));
 		}
-		if (context.frameworks.includes("expo")) promises.push(import("./expo-doctor-T4DswmX5.js").then((mod) => mod.runExpoDoctor(context)));
-		if (languages.includes("python") && installedTools["ruff"]) promises.push(runRuffLint(context));
+		if (context.frameworks.includes("expo")) promises.push(import("./expo-doctor-BM2JR6f6.js").then((mod) => mod.runExpoDoctor(context)));
+		if (languages.includes("python") && installedTools.ruff) promises.push(runRuffLint(context));
 		if (languages.includes("go") && installedTools["golangci-lint"]) promises.push(runGolangciLint(context));
-		if (languages.includes("rust") && installedTools["cargo"]) promises.push(runGenericLinter(context, "rust"));
-		if (languages.includes("ruby") && installedTools["rubocop"]) promises.push(runGenericLinter(context, "ruby"));
+		if (languages.includes("rust") && installedTools.cargo) promises.push(runGenericLinter(context, "rust"));
+		if (languages.includes("ruby") && installedTools.rubocop) promises.push(runGenericLinter(context, "ruby"));
 		const results = await Promise.allSettled(promises);
 		for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
 		return {
@@ -5599,7 +5704,7 @@ const lintEngine = {
 
 //#endregion
 //#region src/ui/invocation.ts
-const detectInvocation = () => "npx aislop";
+const detectInvocation = () => "aislop";
 
 //#endregion
 //#region src/engines/security/audit.ts
@@ -5615,7 +5720,7 @@ const runDependencyAudit = async (context) => {
 		else if (fs.existsSync(path.join(context.rootDirectory, "package-lock.json")) || fs.existsSync(path.join(context.rootDirectory, "package.json"))) promises.push(runNpmAudit(context.rootDirectory, timeout));
 	}
 	if (context.languages.includes("python") && context.installedTools["pip-audit"]) promises.push(runPipAudit(context.rootDirectory, timeout));
-	if (context.languages.includes("go") && context.installedTools["govulncheck"]) promises.push(runGovulncheck(context.rootDirectory, timeout));
+	if (context.languages.includes("go") && context.installedTools.govulncheck) promises.push(runGovulncheck(context.rootDirectory, timeout));
 	if (context.languages.includes("rust")) promises.push(runCargoAudit(context.rootDirectory, timeout));
 	const results = await Promise.allSettled(promises);
 	for (const result of results) if (result.status === "fulfilled") diagnostics.push(...result.value);
@@ -5720,9 +5825,12 @@ const parseLegacyAdvisories = (advisories, source) => {
 	for (const [key, advisory] of Object.entries(advisories)) upsertVuln(bucket, advisory.module_name ?? advisory.name ?? advisory.package ?? key, (advisory.severity ?? "moderate").toLowerCase(), advisory.recommendation ?? advisory.title ?? "");
 	return [...bucket.values()].map((agg) => aggregateToDiagnostic(agg, source));
 };
+const carriesAdvisory = (vulnerability) => Array.isArray(vulnerability.via) && vulnerability.via.some((entry) => entry !== null && typeof entry === "object");
 const parseModernVulnerabilities = (vulnerabilities, source) => {
 	const bucket = /* @__PURE__ */ new Map();
+	const hasRootCauses = Object.values(vulnerabilities).some(carriesAdvisory);
 	for (const [packageName, vulnerability] of Object.entries(vulnerabilities)) {
+		if (hasRootCauses && !carriesAdvisory(vulnerability)) continue;
 		const severity = (vulnerability.severity ?? "moderate").toLowerCase();
 		const fixAvailable = vulnerability.fixAvailable;
 		const isDirect = vulnerability.isDirect === true;
@@ -5748,7 +5856,7 @@ const parseJsAudit = (output, source) => {
 			rule: "security/dependency-audit-skipped",
 			severity: "info",
 			message: `Dependency audit skipped (${source}): lockfile is missing`,
-			help: error.detail ?? "Generate a lockfile, then re-run `npx aislop scan` for dependency vulnerability checks.",
+			help: error.detail ?? "Generate a lockfile, then re-run `aislop scan` for dependency vulnerability checks.",
 			line: 0,
 			column: 0,
 			category: "Security",
@@ -5865,6 +5973,194 @@ const runCargoAudit = async (rootDir, timeout) => {
 	}
 };
 
+//#endregion
+//#region src/engines/security/html-safety.ts
+const SAFE_EMPTY_INNER_HTML_RE = /^\.innerHTML\s*=\s*(?:""|''|``)\s*;?/;
+const SAFE_SANITIZED_INNER_HTML_RE = /^\.innerHTML\s*=\s*(?:escapeHtml|sanitizeHtml|sanitizeHTML|DOMPurify\.sanitize)\s*\([^;\n]*\)\s*;?(?:\n|$)/;
+const SANITIZER_EXPR_RE = /^(?:escapeHtml|escapeHTML|sanitizeHtml|sanitizeHTML|DOMPurify\.sanitize)\s*\([^;\n]*\)$/;
+const IDENT_RE = /^[A-Za-z_$][\w$]*$/;
+const STATIC_STRING_RE = /^(?:"(?:\\.|[^"\\])*"|'(?:\\.|[^'\\])*'|`(?:\\.|[^`\\$])*`)$/;
+const NUMERICISH_EXPR_RE = /^(?:[-+]?\d+(?:\.\d+)?|[A-Za-z_$][\w$]*(?:\.[A-Za-z_$][\w$]*)*(?:\s*\|\|\s*[-+]?\d+(?:\.\d+)?)?)$/;
+const NUMERICISH_NAME_RE = /(?:^|\.)(?:count|length|size|width|height|top|right|bottom|left|duration|elapsed|timestamp|time|ms|port|pid|attempt|attempts|index|total|x|y)$|(?:count|length|size|width|height|duration|elapsed|timestamp|time|port|pid|attempt|index|total)$/i;
+const SAFE_FORMAT_CALL_RE = /^(?:format[A-Z]\w*|fmt[A-Z]?\w*)\s*\((.*)\)$/;
+const consumeQuotedLiteral = (content, startIndex, quote) => {
+	let i = startIndex + 1;
+	while (i < content.length) {
+		const char = content[i];
+		if (char === "\\") {
+			i += 2;
+			continue;
+		}
+		if (char === quote) return { endIndex: i };
+		if (char === "\n") return null;
+		i++;
+	}
+	return null;
+};
+const consumeTemplateLiteral = (content, startIndex) => {
+	const openIndex = content.indexOf("`", startIndex);
+	if (openIndex === -1) return null;
+	let i = openIndex + 1;
+	while (i < content.length) {
+		const char = content[i];
+		if (char === "\\") {
+			i += 2;
+			continue;
+		}
+		if (char === "`") return {
+			body: content.slice(openIndex + 1, i),
+			endIndex: i
+		};
+		i++;
+	}
+	return null;
+};
+const assignmentTailIsClosed = (content, endIndex) => /^\s*(?:;[^\n]*)?(?:\n|$)/.test(content.slice(endIndex + 1));
+const assignmentRhsStart = (content, matchIndex) => {
+	const match = /^\.innerHTML\s*=\s*/.exec(content.slice(matchIndex));
+	return match ? matchIndex + match[0].length : null;
+};
+const templateExpressions = (templateBody) => [...templateBody.matchAll(/\$\{\s*([^}]+?)\s*\}/g)].map((match) => match[1].trim());
+const staticTernaryRe = /^\s*[^?]+\?\s*(?:"[^"]*"|'[^']*'|`[^`$]*`)\s*:\s*(?:"[^"]*"|'[^']*'|`[^`$]*`)\s*$/;
+const splitTopLevelTernary = (expr) => {
+	let quote = null;
+	let depth = 0;
+	let question = -1;
+	let colon = -1;
+	for (let i = 0; i < expr.length; i++) {
+		const char = expr[i];
+		if (char === "\\") {
+			i++;
+			continue;
+		}
+		if ((char === "'" || char === "\"" || char === "`") && quote === null) {
+			quote = char;
+			continue;
+		}
+		if (char === quote) {
+			quote = null;
+			continue;
+		}
+		if (quote) continue;
+		if (char === "(" || char === "[" || char === "{") depth++;
+		else if (char === ")" || char === "]" || char === "}") depth = Math.max(0, depth - 1);
+		else if (char === "?" && depth === 0 && question === -1) question = i;
+		else if (char === ":" && depth === 0 && question !== -1) {
+			colon = i;
+			break;
+		}
+	}
+	if (question === -1 || colon === -1) return null;
+	return {
+		whenTrue: expr.slice(question + 1, colon).trim(),
+		whenFalse: expr.slice(colon + 1).trim()
+	};
+};
+const isNumericishExpression = (expr) => {
+	const normalized = expr.trim();
+	if (/^(?:Math\.\w+|Number|parseInt|parseFloat)\s*\(/.test(normalized)) return true;
+	if (!NUMERICISH_EXPR_RE.test(normalized)) return false;
+	return /\d/.test(normalized) || NUMERICISH_NAME_RE.test(normalized);
+};
+const isSafeTemplateLiteralExpression = (expr, safeNames) => {
+	if (!expr.startsWith("`") || !expr.endsWith("`")) return false;
+	return templateExpressions(expr.slice(1, -1)).every((part) => isSafeHtmlExpression(part, safeNames));
+};
+const collectSafeHtmlNames = (content, matchIndex) => {
+	const safeNames = /* @__PURE__ */ new Set();
+	const prefix = content.slice(Math.max(0, matchIndex - 8e3), matchIndex);
+	for (const rawLine of prefix.split("\n")) {
+		const line = rawLine.trim();
+		let match = /\b(?:const|let|var)\s+([A-Za-z_$][\w$]*)\s*=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+			continue;
+		}
+		match = /^([A-Za-z_$][\w$]*)\s*\+=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (safeNames.has(name) && isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+			continue;
+		}
+		match = /^([A-Za-z_$][\w$]*)\s*=\s*(.+?)\s*;?$/.exec(line);
+		if (match) {
+			const [, name, expr] = match;
+			if (isSafeHtmlExpression(expr.trim(), safeNames)) safeNames.add(name);
+			else safeNames.delete(name);
+		}
+	}
+	return safeNames;
+};
+const isSafeHtmlExpression = (expr, safeNames) => {
+	const normalized = expr.trim();
+	if (SANITIZER_EXPR_RE.test(normalized)) return true;
+	if (STATIC_STRING_RE.test(normalized)) return true;
+	if (staticTernaryRe.test(expr)) return true;
+	if (isNumericishExpression(normalized)) return true;
+	if (IDENT_RE.test(normalized) && safeNames.has(normalized)) return true;
+	if (isSafeTemplateLiteralExpression(normalized, safeNames)) return true;
+	const ternary = splitTopLevelTernary(normalized);
+	if (ternary && isSafeHtmlExpression(ternary.whenTrue, safeNames) && isSafeHtmlExpression(ternary.whenFalse, safeNames)) return true;
+	const formatCall = SAFE_FORMAT_CALL_RE.exec(normalized);
+	if (formatCall) return formatCall[1].split(",").map((arg) => arg.trim()).filter((arg) => arg.length > 0).every((arg) => isNumericishExpression(arg) || IDENT_RE.test(arg) && safeNames.has(arg));
+	return false;
+};
+const readSingleLineRhs = (content, rhsStart) => {
+	const lineEnd = content.indexOf("\n", rhsStart);
+	const line = content.slice(rhsStart, lineEnd === -1 ? content.length : lineEnd);
+	let quote = null;
+	for (let i = 0; i < line.length; i++) {
+		const char = line[i];
+		if (char === "\\") {
+			i++;
+			continue;
+		}
+		if ((char === "'" || char === "\"" || char === "`") && quote === null) {
+			quote = char;
+			continue;
+		}
+		if (char === quote) {
+			quote = null;
+			continue;
+		}
+		if (char === ";" && quote === null) return line.slice(0, i).trim();
+	}
+	return line.trim();
+};
+const isSafeMapJoinHtmlAssignment = (content, rhsStart) => {
+	const head = content.slice(rhsStart);
+	const mapMatch = /^[A-Za-z_$][\w$.]*\.map\(\s*[A-Za-z_$][\w$]*\s*=>\s*`/.exec(head);
+	if (!mapMatch) return false;
+	const template = consumeTemplateLiteral(content, rhsStart + mapMatch[0].length - 1);
+	if (!template) return false;
+	if (!/^\s*\)\.join\(\s*(?:""|'')\s*\)/.test(content.slice(template.endIndex + 1))) return false;
+	const safeNames = collectSafeHtmlNames(content, rhsStart);
+	return templateExpressions(template.body).every((expr) => isSafeHtmlExpression(expr, safeNames));
+};
+const isSafeInnerHtmlAssignment = (content, matchIndex) => {
+	const tail = content.slice(matchIndex);
+	if (SAFE_EMPTY_INNER_HTML_RE.test(tail) || SAFE_SANITIZED_INNER_HTML_RE.test(tail)) return true;
+	const rhsStart = assignmentRhsStart(content, matchIndex);
+	if (rhsStart === null) return false;
+	const first = content[rhsStart];
+	const safeNames = collectSafeHtmlNames(content, matchIndex);
+	if (isSafeHtmlExpression(readSingleLineRhs(content, rhsStart), safeNames)) return true;
+	if (isSafeMapJoinHtmlAssignment(content, rhsStart)) return true;
+	if (first === "'" || first === "\"") {
+		const quoted = consumeQuotedLiteral(content, rhsStart, first);
+		return Boolean(quoted && assignmentTailIsClosed(content, quoted.endIndex));
+	}
+	if (first !== "`") return false;
+	const template = consumeTemplateLiteral(content, rhsStart);
+	if (!template || !assignmentTailIsClosed(content, template.endIndex)) return false;
+	const expressions = templateExpressions(template.body);
+	if (expressions.length === 0) return true;
+	return expressions.every((expr) => isSafeHtmlExpression(expr, safeNames));
+};
+
 //#endregion
 //#region src/engines/security/risky.ts
 const ev = "eval";
@@ -5990,6 +6286,30 @@ const isStructuredDataScript = (content, matchIndex) => {
 	const after = content.slice(matchIndex, Math.min(content.length, matchIndex + 180));
 	return /__html\s*:\s*JSON\.stringify\s*\(/.test(after);
 };
+const isSafeShellSpawnArray = (content, matchIndex) => /^spawn\s*\(\s*\[/.test(content.slice(matchIndex)) && !/^\s*spawn\s*\(\s*\[\s*["'](?:sh|bash|zsh|cmd|cmd\.exe|powershell|pwsh)["']\s*,\s*["'](?:-c|\/c|\/C)["']/i.test(content.slice(matchIndex)) && !/shell\s*:\s*true\b/.test(content.slice(matchIndex, matchIndex + 500));
+const PLACEHOLDER_EXPR_RE = /^(?:placeholders?|placeholderList|bindMarkers?|bindingMarkers?|bindPlaceholders?|bindingPlaceholders?|parameterPlaceholders?|sqlPlaceholders?)(?:\.\w+\([^)]*\))?$/i;
+const SQL_PLACEHOLDER_LITERAL_RE = /["'](?:\?|\$\d+|\$\{[^}]+\})["']/;
+const escapeRegExp = (value) => value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+const isGeneratedPlaceholderList = (content, matchIndex, placeholderExpr) => {
+	const name = placeholderExpr.match(/^([A-Za-z_$][\w$]*)/)?.[1];
+	if (!name) return false;
+	const prefix = content.slice(Math.max(0, matchIndex - 4e3), matchIndex);
+	const declarationRe = new RegExp(`\\b(?:const|let|var)\\s+${escapeRegExp(name)}\\s*=\\s*([^;\\n]+)`, "g");
+	const declaration = [...prefix.matchAll(declarationRe)].at(-1);
+	if (!declaration) return false;
+	const expr = declaration[1];
+	if (!/\.join\s*\(/.test(expr)) return false;
+	return /\.map\s*\(/.test(expr) && /=>/.test(expr) && SQL_PLACEHOLDER_LITERAL_RE.test(expr) || /\.fill\s*\(/.test(expr) && SQL_PLACEHOLDER_LITERAL_RE.test(expr);
+};
+const isSafeSqlPlaceholderTemplate = (content, matchIndex) => {
+	const template = consumeTemplateLiteral(content, matchIndex);
+	if (!template) return false;
+	const afterTemplate = content.slice(template.endIndex + 1);
+	if (!(/^\s*,/.test(afterTemplate) || /^\s*\)\s*\.(?:all|get|run|values)\s*\(/.test(afterTemplate))) return false;
+	const expressions = [...template.body.matchAll(/\$\{\s*([^}]+?)\s*\}/g)].map((match) => match[1].trim());
+	if (expressions.length === 0) return false;
+	return expressions.every((expr) => PLACEHOLDER_EXPR_RE.test(expr) && isGeneratedPlaceholderList(content, matchIndex, expr));
+};
 const detectRiskyConstructs = async (context) => {
 	const files = getSourceFiles(context);
 	const diagnostics = [];
@@ -6010,13 +6330,15 @@ const detectRiskyConstructs = async (context) => {
 			if (!extensions.includes(ext)) continue;
 			if (isMigrationOrSeeder && name === "sql-injection") continue;
 			const regex = new RegExp(pattern.source, pattern.flags);
-			let match;
-			while ((match = regex.exec(masked)) !== null) {
+			for (const match of masked.matchAll(regex)) {
 				const line = content.slice(0, match.index).split("\n").length;
 				if (name === "innerhtml") {
 					const beforeMatch = content.slice(Math.max(0, match.index - 200), match.index);
+					if (isSafeInnerHtmlAssignment(content, match.index)) continue;
 					if (/(?:template|tmpl|tpl)$/i.test(beforeMatch.trimEnd()) || /createElement\s*\(\s*['"]template['"]\s*\)$/.test(beforeMatch.trimEnd())) continue;
 				}
+				if (name === "sql-injection" && isSafeSqlPlaceholderTemplate(content, match.index)) continue;
+				if (name === "shell-injection" && isSafeShellSpawnArray(content, match.index)) continue;
 				if (name === "dangerously-set-innerhtml") {
 					if (hasDangerouslySetInnerHtmlIgnore(lines, line - 1)) continue;
 					if (isStructuredDataScript(content, match.index)) continue;
@@ -6113,7 +6435,28 @@ const PLACEHOLDER_EXACT = new Set([
 	"todo",
 	"replace_me"
 ]);
+const PLACEHOLDER_URL_PARTS = new Set([
+	"example",
+	"host",
+	"localhost",
+	"pass",
+	"password",
+	"pw",
+	"user",
+	"username"
+]);
+const isPlaceholderCredentialUrl = (matchedText) => {
+	const credentialMatch = matchedText.match(/^[a-z]+:\/\/([^:@/\s]+):([^@/\s]+)@/i);
+	if (credentialMatch) return PLACEHOLDER_URL_PARTS.has(credentialMatch[1].toLowerCase()) && PLACEHOLDER_URL_PARTS.has(credentialMatch[2].toLowerCase());
+	try {
+		const parsed = new URL(matchedText);
+		return PLACEHOLDER_URL_PARTS.has(parsed.username.toLowerCase()) && PLACEHOLDER_URL_PARTS.has(parsed.password.toLowerCase()) && PLACEHOLDER_URL_PARTS.has(parsed.hostname.toLowerCase());
+	} catch {
+		return false;
+	}
+};
 const isPlaceholderValue = (matchedText) => {
+	if (isPlaceholderCredentialUrl(matchedText)) return true;
 	if (/env\(/i.test(matchedText)) return true;
 	if (matchedText.includes("process.env")) return true;
 	if (matchedText.includes("os.environ")) return true;
@@ -6143,8 +6486,7 @@ const scanSecrets = async (context) => {
 		const relativePath = path.relative(context.rootDirectory, filePath);
 		for (const { pattern, name, keywordPrefixed } of SECRET_PATTERNS) {
 			const regex = new RegExp(pattern.source, pattern.flags);
-			let match;
-			while ((match = regex.exec(content)) !== null) {
+			for (const match of content.matchAll(regex)) {
 				if (isPlaceholderValue(match[1] ?? match[0])) continue;
 				if (keywordPrefixed && isInsideStringLiteral(content, match.index)) continue;
 				const line = content.slice(0, match.index).split("\n").length;
@@ -6235,23 +6577,36 @@ const STYLE_RULES = new Set([
 	"complexity/function-too-long"
 ]);
 const STYLE_WEIGHT = .5;
+const COMMENT_STYLE_RULE_CAP = 12;
+const COMMENT_STYLE_RULES = new Set(["ai-slop/trivial-comment", "ai-slop/narrative-comment"]);
 const getEffectiveFileCount = (diagnostics, sourceFileCount) => {
 	if (typeof sourceFileCount === "number" && sourceFileCount > 0) return sourceFileCount;
 	const filesWithDiagnostics = new Set(diagnostics.map((d) => d.filePath)).size;
 	return Math.max(1, filesWithDiagnostics);
 };
-const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoothing) => {
+const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoothing, maxPerRule) => {
 	if (diagnostics.length === 0) return {
 		score: PERFECT_SCORE,
 		label: "Healthy"
 	};
-	let deductions = 0;
+	const deductionsByRule = /* @__PURE__ */ new Map();
 	for (const d of diagnostics) {
 		const engineWeight = weights[d.engine] ?? 1;
 		const severityPenalty = d.severity === "error" ? 3 : d.severity === "warning" ? 1 : .25;
 		const styleFactor = STYLE_RULES.has(d.rule) ? STYLE_WEIGHT : 1;
-		deductions += severityPenalty * engineWeight * styleFactor;
-	}
+		const key = `${d.engine}:${d.rule}`;
+		deductionsByRule.set(key, (deductionsByRule.get(key) ?? 0) + severityPenalty * engineWeight * styleFactor);
+	}
+	const defaultRuleCap = typeof maxPerRule === "number" && maxPerRule > 0 ? maxPerRule : null;
+	const capForRule = (key) => {
+		const rule = key.slice(key.indexOf(":") + 1);
+		if (COMMENT_STYLE_RULES.has(rule)) return defaultRuleCap ? Math.min(defaultRuleCap, COMMENT_STYLE_RULE_CAP) : COMMENT_STYLE_RULE_CAP;
+		return defaultRuleCap;
+	};
+	const deductions = [...deductionsByRule.entries()].reduce((total, [key, value]) => {
+		const cap = capForRule(key);
+		return total + (cap ? Math.min(value, cap) : value);
+	}, 0);
 	const effectiveFileCount = getEffectiveFileCount(diagnostics, sourceFileCount);
 	const smoothingConstant = typeof smoothing === "number" ? smoothing : 10;
 	const issueDensity = Math.min(1, diagnostics.length / (effectiveFileCount + smoothingConstant));
@@ -6265,6 +6620,64 @@ const calculateScore = (diagnostics, weights, thresholds, sourceFileCount, smoot
 
 //#endregion
 //#region src/utils/discover.ts
+const UNSUPPORTED_CODE_EXTENSIONS = {
+	".c": "C/C++",
+	".h": "C/C++",
+	".cc": "C/C++",
+	".cpp": "C/C++",
+	".cxx": "C/C++",
+	".hpp": "C/C++",
+	".hh": "C/C++",
+	".hxx": "C/C++",
+	".cs": "C#",
+	".swift": "Swift",
+	".kt": "Kotlin",
+	".kts": "Kotlin",
+	".m": "Objective-C",
+	".mm": "Objective-C",
+	".scala": "Scala",
+	".dart": "Dart",
+	".ex": "Elixir",
+	".exs": "Elixir",
+	".erl": "Erlang",
+	".hs": "Haskell",
+	".clj": "Clojure",
+	".cljs": "Clojure",
+	".lua": "Lua",
+	".jl": "Julia",
+	".zig": "Zig",
+	".nim": "Nim",
+	".ml": "OCaml",
+	".fs": "F#",
+	".sol": "Solidity",
+	".groovy": "Groovy"
+};
+const analyzeCoverage = (rootDirectory, excludePatterns = []) => {
+	const allFiles = listProjectFiles(rootDirectory);
+	const supportedFiles = filterProjectFiles(rootDirectory, allFiles, [], excludePatterns).length;
+	const counts = /* @__PURE__ */ new Map();
+	let unsupportedFiles = 0;
+	const candidates = filterProjectFiles(rootDirectory, allFiles, Object.keys(UNSUPPORTED_CODE_EXTENSIONS), excludePatterns);
+	for (const file of candidates) {
+		const lang = UNSUPPORTED_CODE_EXTENSIONS[path.extname(file).toLowerCase()];
+		if (!lang) continue;
+		unsupportedFiles += 1;
+		counts.set(lang, (counts.get(lang) ?? 0) + 1);
+	}
+	let dominantUnsupported = null;
+	let max = 0;
+	for (const [lang, count] of counts) if (count > max) {
+		max = count;
+		dominantUnsupported = lang;
+	}
+	const negligible = supportedFiles === 0 || unsupportedFiles >= 10 && unsupportedFiles > supportedFiles * 3;
+	return {
+		supportedFiles,
+		unsupportedFiles,
+		dominantUnsupported,
+		scoreable: !negligible
+	};
+};
 const LANGUAGE_SIGNALS = {
 	"tsconfig.json": "typescript",
 	"go.mod": "go",
@@ -6384,11 +6797,12 @@ const checkInstalledTools = async () => {
 	}));
 	return results;
 };
-const discoverProject = async (directory) => {
+const discoverProject = async (directory, excludePatterns = []) => {
 	const resolvedDir = path.resolve(directory);
 	const languages = detectLanguages(resolvedDir);
 	const frameworks = detectFrameworks(resolvedDir);
 	const sourceFileCount = countSourceFiles(resolvedDir);
+	const coverage = analyzeCoverage(resolvedDir, excludePatterns);
 	const installedTools = await checkInstalledTools();
 	return {
 		rootDirectory: resolvedDir,
@@ -6396,6 +6810,7 @@ const discoverProject = async (directory) => {
 		languages,
 		frameworks,
 		sourceFileCount,
+		coverage,
 		installedTools
 	};
 };
@@ -6434,6 +6849,107 @@ const readBaseline = (cwd) => {
 	}
 };
 
+//#endregion
+//#region src/output/finding-assessment.ts
+const FINDING_KIND_LABELS = {
+	"confirmed-defect": "confirmed defects",
+	"conservative-security": "conservative security",
+	"style-policy": "style/policy",
+	"ai-slop-indicator": "AI-slop indicators"
+};
+const STYLE_POLICY_RULES = new Set([
+	"ai-slop/trivial-comment",
+	"ai-slop/narrative-comment",
+	"ai-slop/meta-comment",
+	"ai-slop/console-leftover",
+	"ai-slop/ts-directive",
+	"complexity/file-too-large",
+	"complexity/function-too-long",
+	"complexity/deep-nesting",
+	"complexity/too-many-params",
+	"code-quality/duplicate-block",
+	"eslint/no-empty",
+	"eslint/no-unused-vars",
+	"eslint/no-useless-escape",
+	"eslint/no-unused-expressions",
+	"unicorn/no-useless-fallback-in-spread",
+	"unicorn/prefer-string-starts-ends-with",
+	"unicorn/no-new-array",
+	"unicorn/no-useless-spread"
+]);
+const CONFIRMED_DEFECT_RULES = new Set([
+	"ai-slop/hallucinated-import",
+	"eslint/no-undef",
+	"eslint/no-unreachable",
+	"security/vulnerable-dependency"
+]);
+const LOW_CONFIDENCE_SECURITY_RULES = new Set(["security/innerhtml", "security/dangerously-set-innerhtml"]);
+const confidenceFor = (diagnostic, kind) => {
+	if (kind === "confirmed-defect") return "high";
+	if (kind === "style-policy") return "medium";
+	if (kind === "conservative-security") {
+		if (LOW_CONFIDENCE_SECURITY_RULES.has(diagnostic.rule)) return "medium";
+		return diagnostic.severity === "error" ? "high" : "medium";
+	}
+	return diagnostic.severity === "error" ? "high" : "medium";
+};
+const classifyKind = (diagnostic) => {
+	if (CONFIRMED_DEFECT_RULES.has(diagnostic.rule)) return "confirmed-defect";
+	if (diagnostic.engine === "security") return "conservative-security";
+	if (STYLE_POLICY_RULES.has(diagnostic.rule)) return "style-policy";
+	if (diagnostic.engine === "format" || diagnostic.engine === "code-quality") return "style-policy";
+	if (diagnostic.engine === "ai-slop") return "ai-slop-indicator";
+	if (diagnostic.severity === "error") return "confirmed-defect";
+	return "style-policy";
+};
+const assessDiagnostic = (diagnostic) => {
+	const kind = classifyKind(diagnostic);
+	return {
+		kind,
+		confidence: confidenceFor(diagnostic, kind),
+		label: FINDING_KIND_LABELS[kind]
+	};
+};
+const summarizeFindingAssessments = (diagnostics) => {
+	const byKind = {
+		"confirmed-defect": 0,
+		"conservative-security": 0,
+		"style-policy": 0,
+		"ai-slop-indicator": 0
+	};
+	const byConfidence = {
+		high: 0,
+		medium: 0,
+		low: 0
+	};
+	const rows = /* @__PURE__ */ new Map();
+	for (const diagnostic of diagnostics) {
+		const assessment = assessDiagnostic(diagnostic);
+		byKind[assessment.kind]++;
+		byConfidence[assessment.confidence]++;
+		const row = rows.get(assessment.kind) ?? {
+			kind: assessment.kind,
+			label: assessment.label,
+			count: 0,
+			errors: 0,
+			warnings: 0,
+			info: 0,
+			fixable: 0
+		};
+		row.count++;
+		if (diagnostic.severity === "error") row.errors++;
+		else if (diagnostic.severity === "warning") row.warnings++;
+		else row.info++;
+		if (diagnostic.fixable) row.fixable++;
+		rows.set(assessment.kind, row);
+	}
+	return {
+		rows: [...rows.values()].sort((a, b) => b.count - a.count),
+		byKind,
+		byConfidence
+	};
+};
+
 //#endregion
 //#region src/mcp/tools.ts
 const MAX_FINDINGS = 25;
@@ -6471,27 +6987,32 @@ const summariseDiagnostic = (d, rootDirectory) => ({
 	column: d.column,
 	rule: d.rule,
 	severity: d.severity,
+	assessment: assessDiagnostic(d),
 	message: d.message,
 	fixable: d.fixable,
 	help: d.help || void 0
 });
 const summariseDiagnostics = (diagnostics, rootDirectory) => {
+	const counts = {
+		error: diagnostics.filter((d) => d.severity === "error").length,
+		warning: diagnostics.filter((d) => d.severity === "warning").length,
+		fixable: diagnostics.filter((d) => d.fixable).length,
+		total: diagnostics.length
+	};
+	const findings = diagnostics.slice(0, MAX_FINDINGS).map((d) => summariseDiagnostic(d, rootDirectory));
+	const elided = diagnostics.length > MAX_FINDINGS ? diagnostics.length - MAX_FINDINGS : 0;
 	return {
-		counts: {
-			error: diagnostics.filter((d) => d.severity === "error").length,
-			warning: diagnostics.filter((d) => d.severity === "warning").length,
-			fixable: diagnostics.filter((d) => d.fixable).length,
-			total: diagnostics.length
-		},
-		findings: diagnostics.slice(0, MAX_FINDINGS).map((d) => summariseDiagnostic(d, rootDirectory)),
-		elided: diagnostics.length > MAX_FINDINGS ? diagnostics.length - MAX_FINDINGS : 0
+		counts,
+		findingAssessment: summarizeFindingAssessments(diagnostics),
+		findings,
+		elided
 	};
 };
 const runScan = async (cwd) => {
 	const project = await discoverProject(cwd);
 	const config = loadConfig(cwd);
 	const diagnostics = (await runEngines(buildEngineContext(project.rootDirectory, project, config), enabledEnginesFromConfig(config))).flatMap((r) => r.diagnostics);
-	const { score } = calculateScore(diagnostics, config.scoring.weights, config.scoring.thresholds, project.sourceFileCount, config.scoring.smoothing);
+	const { score } = calculateScore(diagnostics, config.scoring.weights, config.scoring.thresholds, project.sourceFileCount, config.scoring.smoothing, config.scoring.maxPerRule);
 	const errorCount = diagnostics.filter((d) => d.severity === "error").length;
 	const failBelow = config.ci.failBelow;
 	return {
@@ -6617,7 +7138,7 @@ const handleAislopBaseline = (input) => {
 
 //#endregion
 //#region src/version.ts
-const APP_VERSION = "0.10.1";
+const APP_VERSION = "0.11.0";
 
 //#endregion
 //#region src/telemetry/env.ts
@@ -6813,9 +7334,14 @@ const track = (input) => {
 	pendingRequests.add(request);
 	return { installCreated };
 };
-const flushTelemetry = async () => {
+const flushTelemetry = async (timeoutMs) => {
 	if (pendingRequests.size === 0) return;
-	await Promise.all(pendingRequests);
+	const all = Promise.all(pendingRequests);
+	if (timeoutMs == null) {
+		await all;
+		return;
+	}
+	await Promise.race([all, new Promise((resolve) => setTimeout(resolve, timeoutMs))]);
 };
 
 //#endregion